Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe

Overview

General Information

Sample name:17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
Analysis ID:1578288
MD5:a3cfe4942b0ee84ab5a32698860f6ebf
SHA1:835c4f861af46c8ee071041c8ada8acf8193a1da
SHA256:3799b7afd9b7360155c78f5c93934d8bb304b6eda203c442a285b0992f1f8c36
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["kiolokgangan.duckdns.org:2430:1", "apieconi.duckdns.org:2439:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-QJ4441", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x146f8:$a1: Remcos restarted by watchdog!
              • 0x14c70:$a3: %02i:%02i:%02i:%03i
              00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                Click to see the 35 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aaf8:$a1: Remcos restarted by watchdog!
                      • 0x6b070:$a3: %02i:%02i:%02i:%03i
                      3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                      • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                      • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                      • 0x64e04:$str_b2: Executing file:
                      • 0x65c3c:$str_b3: GetDirectListeningPort
                      • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                      • 0x65780:$str_b7: \update.vbs
                      • 0x64e2c:$str_b9: Downloaded file:
                      • 0x64e18:$str_b10: Downloading file:
                      • 0x64ebc:$str_b12: Failed to upload file:
                      • 0x65c04:$str_b13: StartForward
                      • 0x65c24:$str_b14: StopForward
                      • 0x656d8:$str_b15: fso.DeleteFile "
                      • 0x6566c:$str_b16: On Error Resume Next
                      • 0x65708:$str_b17: fso.DeleteFolder "
                      • 0x64eac:$str_b18: Uploaded file:
                      • 0x64e6c:$str_b19: Unable to delete:
                      • 0x656a0:$str_b20: while fso.FileExists("
                      • 0x65349:$str_c0: [Firefox StoredLogins not found]
                      Click to see the 25 entries

                      Sigma Signatures

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 4D 34 A1 09 2E 5E F0 7A A5 6A C2 DA 22 15 EA C4 54 BD E8 D8 55 B4 02 70 DF E4 BB 0C DB 0D DF F4 0F 47 16 30 53 39 97 4B 82 B6 91 EC A2 6E 85 09 7E 35 90 33 2C E5 8E AD F5 3F C7 56 7D FA 9D CB FD 07 F3 3D CD 80 23 FB 67 45 01 EF 76 98 25 20 A1 C8 D0 BE ED D3 D6 BA 9D 9A 07 72 82 FB 47 E0 67 06 9C B4 76 C7 11 A6 A1 FB D1 4F 1E EE 50 9F B0 2E 51 8D B7 BD 0E AF A0 54 AF D3 EB F2 C0 93 4A F5 DC 78 37 80 DB 28 BE 6D 8F A3 2F 70 39 33 51 A7 71 B0 A5 2C 52 73 7D E7 CF 44 43 89 21 6F B5 A4 3D F3 61 8B BE 2F 23 38 FF 61 A6 05 E5 D6 83 E4 98 BA 61 0B 9F 7A 7D C0 E6 37 EA C6 1C FE 36 89 36 B2 3F 2B 98 64 9F 5A F8 4C BE 96 47 BC D6 88 A6 EF C4 73 FD BC A0 70 7E 8C 4A 22 16 9E 84 A6 09 D4 D8 C2 89 B7 DA 08 EF 1B , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, ProcessId: 7312, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-QJ4441\exepath

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-19T14:32:10.889723+010020365941Malware Command and Control Activity Detected192.168.2.549704192.169.69.262430TCP
                      2024-12-19T14:32:13.073323+010020365941Malware Command and Control Activity Detected192.168.2.54970531.13.224.722439TCP
                      2024-12-19T14:32:18.979562+010020365941Malware Command and Control Activity Detected192.168.2.54970731.13.224.722439TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-19T14:32:15.901914+010028033043Unknown Traffic192.168.2.549706178.237.33.5080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: apieconi.duckdns.orgAvira URL Cloud: Label: malware
                      Source: kiolokgangan.duckdns.orgAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["kiolokgangan.duckdns.org:2430:1", "apieconi.duckdns.org:2439:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-QJ4441", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                      Multi AV Scanner detection for submitted file
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeReversingLabs: Detection: 71%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2384822274.000000000050F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4485715444.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7692, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7724, type: MEMORYSTR
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                      Machine Learning detection for sample
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043293A
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,3_2_00404423
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_182dd5db-7

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7692, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7724, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_100010F1
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_10006580 FindFirstFileExA,0_2_10006580
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0040AE51 FindFirstFileW,FindNextFileW,3_2_0040AE51
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00407EF8
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00407898
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49704 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49705 -> 31.13.224.72:2439
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49707 -> 31.13.224.72:2439
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: kiolokgangan.duckdns.org
                      Source: Malware configuration extractorURLs: apieconi.duckdns.org
                      Uses dynamic DNS services
                      Source: unknownDNS query: name: apieconi.duckdns.org
                      Source: unknownDNS query: name: kiolokgangan.duckdns.org
                      Source: global trafficTCP traffic: 192.168.2.5:49705 -> 31.13.224.72:2439
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 31.13.224.72 31.13.224.72
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: SARNICA-ASBG SARNICA-ASBG
                      Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49706 -> 178.237.33.50:80
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004260F7 recv,0_2_004260F7
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4486278998.00000000034E0000.00000040.10000000.00040000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000003.2267112289.0000000000A2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000003.2267112289.0000000000A2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4486142206.00000000033F0000.00000040.10000000.00040000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4486142206.00000000033F0000.00000040.10000000.00040000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                      Source: global trafficDNS traffic detected: DNS query: kiolokgangan.duckdns.org
                      Source: global trafficDNS traffic detected: DNS query: apieconi.duckdns.org
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.000000000051F000.00000004.00000020.00020000.00000000.sdmp, bhv43FB.tmp.3.drString found in binary or memory: http://geoplugin.net/json.gp
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2244894480.0000000000510000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2270274918.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2194811130.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2269947674.000000000051D000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.000000000051F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpO
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2244894480.0000000000510000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2270274918.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2194811130.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2269947674.000000000051D000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.000000000051F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpd
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2244894480.0000000000510000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2270274918.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2194811130.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2269947674.000000000051D000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.000000000051F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0:
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0H
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0I
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://ocsp.msocsp.com0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://ocsp.msocsp.com0S
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://ocspx.digicert.com0E
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://www.digicert.com/CPS0~
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000003.2255047872.000000000056D000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000003.2254988594.000000000056D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000003.2255047872.000000000056D000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000003.2254988594.000000000056D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4486278998.00000000034E0000.00000040.10000000.00040000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4486278998.00000000034E0000.00000040.10000000.00040000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                      Source: bhv43FB.tmp.3.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000002.2267634270.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeString found in binary or memory: https://login.yahoo.com/config/login
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                      Source: bhv43FB.tmp.3.drString found in binary or memory: https://www.office.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_0040987A
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,3_2_004098E2
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,4_2_00406DFC
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_00406E9F
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,5_2_004068B5
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_004072B5
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                      Source: Yara matchFile source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7692, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7724, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2384822274.000000000050F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4485715444.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7692, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7724, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041BB77 SystemParametersInfoW,0_2_0041BB77

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7312, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7692, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7700, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7724, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_00417245
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACC1
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACED
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00401806 NtdllDefWindowProc_W,3_2_00401806
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_004018C0 NtdllDefWindowProc_W,3_2_004018C0
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_004016FD NtdllDefWindowProc_A,4_2_004016FD
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_004017B7 NtdllDefWindowProc_A,4_2_004017B7
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_00402CAC NtdllDefWindowProc_A,5_2_00402CAC
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_00402D66 NtdllDefWindowProc_A,5_2_00402D66
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041D0710_2_0041D071
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004520D20_2_004520D2
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0043D0980_2_0043D098
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004371500_2_00437150
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004361AA0_2_004361AA
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004262540_2_00426254
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004313770_2_00431377
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0043651C0_2_0043651C
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041E5DF0_2_0041E5DF
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0044C7390_2_0044C739
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004367C60_2_004367C6
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004267CB0_2_004267CB
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0043C9DD0_2_0043C9DD
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00432A490_2_00432A49
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00436A8D0_2_00436A8D
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0043CC0C0_2_0043CC0C
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00436D480_2_00436D48
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00434D220_2_00434D22
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00426E730_2_00426E73
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00440E200_2_00440E20
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0043CE3B0_2_0043CE3B
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00412F450_2_00412F45
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00452F000_2_00452F00
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00426FAD0_2_00426FAD
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_100171940_2_10017194
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_1000B5C10_2_1000B5C1
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0044B0403_2_0044B040
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0043610D3_2_0043610D
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_004473103_2_00447310
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0044A4903_2_0044A490
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0040755A3_2_0040755A
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0043C5603_2_0043C560
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0044B6103_2_0044B610
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0044D6C03_2_0044D6C0
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_004476F03_2_004476F0
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0044B8703_2_0044B870
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0044081D3_2_0044081D
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_004149573_2_00414957
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_004079EE3_2_004079EE
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00407AEB3_2_00407AEB
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0044AA803_2_0044AA80
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00412AA93_2_00412AA9
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00404B743_2_00404B74
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00404B033_2_00404B03
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0044BBD83_2_0044BBD8
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00404BE53_2_00404BE5
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00404C763_2_00404C76
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00415CFE3_2_00415CFE
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00416D723_2_00416D72
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00446D303_2_00446D30
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00446D8B3_2_00446D8B
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00406E8F3_2_00406E8F
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_004050384_2_00405038
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0041208C4_2_0041208C
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_004050A94_2_004050A9
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0040511A4_2_0040511A
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0043C13A4_2_0043C13A
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_004051AB4_2_004051AB
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_004493004_2_00449300
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0040D3224_2_0040D322
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0044A4F04_2_0044A4F0
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0043A5AB4_2_0043A5AB
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_004136314_2_00413631
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_004466904_2_00446690
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0044A7304_2_0044A730
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_004398D84_2_004398D8
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_004498E04_2_004498E0
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0044A8864_2_0044A886
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0043DA094_2_0043DA09
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_00438D5E4_2_00438D5E
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_00449ED04_2_00449ED0
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0041FE834_2_0041FE83
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_00430F544_2_00430F54
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004050C25_2_004050C2
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004014AB5_2_004014AB
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004051335_2_00405133
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004051A45_2_004051A4
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004012465_2_00401246
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_0040CA465_2_0040CA46
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004052355_2_00405235
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004032C85_2_004032C8
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004222D95_2_004222D9
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004016895_2_00401689
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_00402F605_2_00402F60
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: String function: 004169A7 appears 87 times
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: String function: 004165FF appears 35 times
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: String function: 00422297 appears 42 times
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: String function: 00433FB0 appears 55 times
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: String function: 0044DB70 appears 41 times
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: String function: 00444B5A appears 37 times
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: String function: 004338A5 appears 42 times
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: String function: 00413025 appears 79 times
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: String function: 00416760 appears 69 times
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2270177461.000000000057C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2244894480.0000000000510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4486278998.00000000034FB000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2242916466.00000000026B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2269947674.000000000051D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2269947674.0000000000557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2270274918.0000000000557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeBinary or memory string: OriginalFileName vs 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeBinary or memory string: OriginalFilename vs 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7312, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7692, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7700, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7724, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@3/3
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,3_2_004182CE
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,5_2_00410DE1
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,3_2_00418758
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A63F
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-QJ4441
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Temp\bhv43FB.tmpJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: Software\0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: @N0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: Rmc-QJ44410_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: Rmc-QJ44410_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: 0DG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: @N0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: @N0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: @N0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: @N0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: @N0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: licence0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: @N0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: `=G0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: dCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: Administrator0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: User0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: @N0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: del0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: del0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: del0_2_0040D767
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCommand line argument: @N0_2_0040D767
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSystem information queried: HandleInformationJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000004.00000002.2248916717.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4486142206.00000000033F0000.00000040.10000000.00040000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000003.2267390985.000000000092C000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000003.2266893788.0000000000921000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000002.2268420849.000000000092C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeReversingLabs: Detection: 71%
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                      Source: unknownProcess created: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe "C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe"
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess created: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\wozewdtiejdgzxouhjfjtsesgjjw"
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess created: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\ginxwvekzrvlcdcyyuskefrjpqbxsxo"
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess created: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rkshxopenznqmrrchfmehklsxwkgtifxyk"
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess created: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\wozewdtiejdgzxouhjfjtsesgjjw"Jump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess created: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\ginxwvekzrvlcdcyyuskefrjpqbxsxo"Jump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess created: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rkshxopenznqmrrchfmehklsxwkgtifxyk"Jump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeFile opened: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.cfgJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeUnpacked PE file: 3.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeUnpacked PE file: 4.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeUnpacked PE file: 5.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004567E0 push eax; ret 0_2_004567FE
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00455EAF push ecx; ret 0_2_00455EC2
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00433FF6 push ecx; ret 0_2_00434009
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_10002806 push ecx; ret 0_2_10002819
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0044693D push ecx; ret 3_2_0044694D
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0044DB70 push eax; ret 3_2_0044DB84
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0044DB70 push eax; ret 3_2_0044DBAC
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00451D54 push eax; ret 3_2_00451D61
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0044B090 push eax; ret 4_2_0044B0A4
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_0044B090 push eax; ret 4_2_0044B0CC
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_00451D34 push eax; ret 4_2_00451D41
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_00444E71 push ecx; ret 4_2_00444E81
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_00414060 push eax; ret 5_2_00414074
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_00414060 push eax; ret 5_2_0041409C
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_00414039 push ecx; ret 5_2_00414049
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_004164EB push 0000006Ah; retf 5_2_004165C4
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_00416553 push 0000006Ah; retf 5_2_004165C4
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_00416555 push 0000006Ah; retf 5_2_004165C4
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198C2
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeWindow / User API: threadDelayed 6381Jump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeWindow / User API: threadDelayed 3603Jump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-53082
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeAPI coverage: 9.9 %
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe TID: 7328Thread sleep count: 6381 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe TID: 7328Thread sleep time: -19143000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe TID: 7328Thread sleep count: 3603 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe TID: 7328Thread sleep time: -10809000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_100010F1
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_10006580 FindFirstFileExA,0_2_10006580
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0040AE51 FindFirstFileW,FindNextFileW,3_2_0040AE51
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 4_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00407EF8
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 5_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00407898
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_00418981 memset,GetSystemInfo,3_2_00418981
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2194811130.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2269947674.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2270274918.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2244894480.0000000000557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWd
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2194811130.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485715444.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2269947674.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2270274918.0000000000557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: bhv43FB.tmp.3.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-54091
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]0_2_00442554
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_10004AB4 mov eax, dword ptr fs:[00000030h]0_2_10004AB4
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00410B19 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,0_2_00410B19
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434168
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B44
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00433CD7 SetUnhandledExceptionFilter,0_2_00433CD7
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_100060E2
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10002639
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_10002B1C

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_00417245
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00418754 mouse_event,0_2_00418754
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess created: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\wozewdtiejdgzxouhjfjtsesgjjw"Jump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess created: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\ginxwvekzrvlcdcyyuskefrjpqbxsxo"Jump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeProcess created: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rkshxopenznqmrrchfmehklsxwkgtifxyk"Jump to behavior
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.0000000000542000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.0000000000542000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.0000000000542000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerP
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.0000000000557000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.000000000051F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.0000000000542000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.0000000000542000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager>
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00433E0A cpuid 0_2_00433E0A
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E679
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004470AE
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004510BA
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511E3
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512EA
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513B7
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00447597
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A7F
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450CF7
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D42
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450DDD
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E6A
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,0_2_0041A7A2
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044800F
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: 3_2_0041739B GetVersionExW,3_2_0041739B
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2384822274.000000000050F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4485715444.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7692, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7724, type: MEMORYSTR
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: \key3.db0_2_0040B335
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to steal Instant Messenger accounts or passwords
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                      Tries to steal Mail credentials (via file registry)
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: ESMTPPassword4_2_004033F0
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword4_2_00402DB3
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword4_2_00402DB3
                      Yara detected WebBrowserPassView password recovery tool
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7692, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-QJ4441Jump to behavior
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 3.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2384822274.000000000050F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4485715444.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7692, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe PID: 7724, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeCode function: cmd.exe0_2_00405042

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		2
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts13
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		111
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution                      		Logon Script (Windows)1
                      Access Token Manipulation                      		1
                      Software Packing                      		2
                      Credentials in Registry                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Windows Service                      		1
                      DLL Side-Loading                      		3
                      Credentials In Files                      		3
                      File and Directory Discovery                      		Distributed Component Object Model111
                      Input Capture                      		1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                      Process Injection                      		1
                      Bypass User Account Control                      		LSA Secrets38
                      System Information Discovery                      		SSH3
                      Clipboard Data                      		2
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials31
                      Security Software Discovery                      		VNCGUI Input Capture22
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Virtualization/Sandbox Evasion                      		DCSync1
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Access Token Manipulation                      		Proc Filesystem4
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                      Process Injection                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578288 Sample: 17346150108fd59162a7f50db4b... Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 18 kiolokgangan.duckdns.org 2->18 20 apieconi.duckdns.org 2->20 22 geoplugin.net 2->22 30 Suricata IDS alerts for network traffic 2->30 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 38 10 other signatures 2->38 7 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe 3 13 2->7         started        signatures3 36 Uses dynamic DNS services 20->36 process4 dnsIp5 24 kiolokgangan.duckdns.org 192.169.69.26, 2430, 49704 WOWUS United States 7->24 26 apieconi.duckdns.org 31.13.224.72, 2439, 49705, 49707 SARNICA-ASBG Bulgaria 7->26 28 geoplugin.net 178.237.33.50, 49706, 80 ATOM86-ASATOM86NL Netherlands 7->28 40 Contains functionality to bypass UAC (CMSTPLUA) 7->40 42 Detected unpacking (changes PE section rights) 7->42 44 Detected Remcos RAT 7->44 46 8 other signatures 7->46 11 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe 1 7->11         started        14 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe 1 7->14         started        16 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe 2 7->16         started        signatures6 process7 signatures8 48 Tries to steal Instant Messenger accounts or passwords 11->48 50 Tries to harvest and steal browser information (history, passwords, etc) 11->50 52 Tries to steal Mail credentials (via file / registry access) 14->52

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe71%ReversingLabsWin32.Backdoor.Remcos
                      17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                      17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      apieconi.duckdns.org100%Avira URL Cloudmalware
                      kiolokgangan.duckdns.org100%Avira URL Cloudmalware
                      http://www.imvu.comata0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		high
                        apieconi.duckdns.org
                        		31.13.224.72
                        		truetrue
                          		unknown
                          kiolokgangan.duckdns.org
                          		192.169.69.26
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            apieconi.duckdns.orgtrue
                            • Avira URL Cloud: malware
                            		unknown
                            kiolokgangan.duckdns.orgtrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://geoplugin.net/json.gpfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gpd17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2244894480.0000000000510000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2270274918.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2194811130.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2269947674.000000000051D000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.000000000051F000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=Pbhv43FB.tmp.3.drfalse
                                  		high
                                  https://www.office.com/bhv43FB.tmp.3.drfalse
                                    		high
                                    http://www.imvu.comr17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4486278998.00000000034E0000.00000040.10000000.00040000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                      		high
                                      http://geoplugin.net/json.gpl17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2244894480.0000000000510000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2270274918.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2194811130.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2269947674.000000000051D000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.000000000051F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949ebhv43FB.tmp.3.drfalse
                                          		high
                                          http://www.imvu.com17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000003.2255047872.000000000056D000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000003.2254988594.000000000056D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.nirsoft.net17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000003.00000002.2267634270.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                              		high
                                              https://aefd.nelreports.net/api/report?cat=bingaotakbhv43FB.tmp.3.drfalse
                                                		high
                                                https://deff.nelreports.net/api/report?cat=msnbhv43FB.tmp.3.drfalse
                                                  		high
                                                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4486278998.00000000034E0000.00000040.10000000.00040000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.com17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073bhv43FB.tmp.3.drfalse
                                                        		high
                                                        https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AFbhv43FB.tmp.3.drfalse
                                                          		high
                                                          https://aefd.nelreports.net/api/report?cat=bingaotbhv43FB.tmp.3.drfalse
                                                            		high
                                                            http://geoplugin.net/json.gp/C17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exefalse
                                                              		high
                                                              https://maps.windows.com/windows-app-web-linkbhv43FB.tmp.3.drfalse
                                                                		high
                                                                http://geoplugin.net/json.gpO17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2244894480.0000000000510000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2270274918.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2384822274.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2194811130.000000000051F000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000003.2269947674.000000000051D000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000000.00000002.4485767295.000000000051F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://aefd.nelreports.net/api/report?cat=bingrmsbhv43FB.tmp.3.drfalse
                                                                    		high
                                                                    https://www.google.com/accounts/servicelogin17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exefalse
                                                                      		high
                                                                      https://login.yahoo.com/config/login17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exefalse
                                                                        		high
                                                                        http://www.nirsoft.net/17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.imvu.comata17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000003.2255047872.000000000056D000.00000004.00000020.00020000.00000000.sdmp, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000003.2254988594.000000000056D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.ebuddy.com17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, 00000005.00000002.2255375584.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            31.13.224.72
                                                                            		apieconi.duckdns.orgBulgaria
                                                                            		48584SARNICA-ASBGtrue
                                                                            178.237.33.50
                                                                            		geoplugin.netNetherlands
                                                                            		8455ATOM86-ASATOM86NLfalse
                                                                            192.169.69.26
                                                                            		kiolokgangan.duckdns.orgUnited States
                                                                            		23033WOWUStrue

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1578288
                                                                            Start date and time:2024-12-19 14:31:09 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 8m 11s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:7
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@3/3
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 99%
                                                                            • Number of executed functions: 137
                                                                            • Number of non-executed functions: 301
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                            • VT rate limit hit for: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            08:32:35API Interceptor4728772x Sleep call for process: 17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            31.13.224.72greatnew.docGet hashmaliciousRemcosBrowse
                                                                              #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                  17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                    Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                      OC25-11-24.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                        178.237.33.50LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • geoplugin.net/json.gp

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        kiolokgangan.duckdns.orgseethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 192.169.69.26
                                                                                        geoplugin.netLbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 178.237.33.50

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        SARNICA-ASBGsh4.elfGet hashmaliciousMiraiBrowse
                                                                                        • 31.13.224.244
                                                                                        armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                        • 31.13.224.244
                                                                                        m68k.elfGet hashmaliciousMiraiBrowse
                                                                                        • 31.13.224.244
                                                                                        mipsel.elfGet hashmaliciousMiraiBrowse
                                                                                        • 31.13.224.244
                                                                                        armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                        • 31.13.224.244
                                                                                        mips.elfGet hashmaliciousMiraiBrowse
                                                                                        • 31.13.224.244
                                                                                        sparc.elfGet hashmaliciousMiraiBrowse
                                                                                        • 31.13.224.244
                                                                                        armv7l.elfGet hashmaliciousMiraiBrowse
                                                                                        • 31.13.224.244
                                                                                        powerpc.elfGet hashmaliciousMiraiBrowse
                                                                                        • 31.13.224.244
                                                                                        i586.elfGet hashmaliciousMiraiBrowse
                                                                                        • 31.13.224.244
                                                                                        WOWUSloligang.x86.elfGet hashmaliciousMiraiBrowse
                                                                                        • 216.244.79.147
                                                                                        MeP66xi1AM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                        • 192.169.69.26
                                                                                        greatnicefeatureswithsupercodebnaturalthingsinlineforgiven.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 192.169.69.26
                                                                                        RFQ_#24429725,pdf.exeGet hashmaliciousAsyncRATBrowse
                                                                                        • 192.169.69.26
                                                                                        hesaphareketi-01.pdf.exeGet hashmaliciousAsyncRATBrowse
                                                                                        • 192.169.69.26
                                                                                        seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 192.169.69.26
                                                                                        sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 192.169.69.26
                                                                                        1734388385543fca13ccf5614dc71c1922a5cd8cddeb80fc9e4bce55f618d2232c3744cd06117.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 192.169.69.26
                                                                                        x295IO8kqM.exeGet hashmaliciousRemcosBrowse
                                                                                        • 192.169.69.26
                                                                                        zvXPSu3dK5.exeGet hashmaliciousAsyncRATBrowse
                                                                                        • 192.169.69.26
                                                                                        ATOM86-ASATOM86NLLbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 178.237.33.50

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):963
                                                                                        Entropy (8bit):5.018384957371898
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zz2:qlupdRNuKyGX85jvXhNlT3/7CcVKWro
                                                                                        MD5:C9BB4D5FD5C8A01D20EBF8334B62AE54
                                                                                        SHA1:D38895F4CBB44CB10B6512A19034F14A2FC40359
                                                                                        SHA-256:767218EC255B7E851971A77B773C0ECC59DC0B179ECA46ABCC29047EEE6216AA
                                                                                        SHA-512:2D412433053610C0229FB3B73A26C8FB684F0A4AB03A53D0533FDC52D4E9882C25037015ACE7D4A411214AA9FAA780A8D950A83B57B200A877E26D7890977157
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                        C:\Users\user\AppData\Local\Temp\bhv43FB.tmp

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xe9951589, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                        Category:dropped
                                                                                        Size (bytes):17301504
                                                                                        Entropy (8bit):0.8012519660424436
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:ydfjZb5aXEY2waXEY24URl0e4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:AVq4e81ySaKKjLrONseWe
                                                                                        MD5:F5C12C4B3A58ACB9623BAF4DD8454D3A
                                                                                        SHA1:45E5ABFDA562A5A4EFCF09D05426A36006AD25F8
                                                                                        SHA-256:FE4DD18624E3C6BD1AE7BA5CE207CD9AC937ED9B190DF46F7CBFE626A6A976C6
                                                                                        SHA-512:E5E7C23D193B2E6A074AFE9E2FFAA3399872997AB630370FCEC9EE9474F03307576C56A5D0A6216D5317DA983E01B5D69EB090DE0DC72F3F1686528957F9657F
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:...... .......;!......E{ow("...{........................@.....0....{../....|..h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{].................................l.V./....|....................z./....|...........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\wozewdtiejdgzxouhjfjtsesgjjw

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):2
                                                                                        Entropy (8bit):1.0
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Qn:Qn
                                                                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                        Malicious:false
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview:..

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):6.586795174166636
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                                        File size:493'056 bytes
                                                                                        MD5:a3cfe4942b0ee84ab5a32698860f6ebf
                                                                                        SHA1:835c4f861af46c8ee071041c8ada8acf8193a1da
                                                                                        SHA256:3799b7afd9b7360155c78f5c93934d8bb304b6eda203c442a285b0992f1f8c36
                                                                                        SHA512:bd9f9435b3c38d5f384b3bd78c7d250f69ab29a9d6dc7b1927cc43a9053ab200239c2a1c6b62d6972ae87a0d8fd36b964ca7f4e808e0de69671f57ed627e7237
                                                                                        SSDEEP:12288:LuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDS1+DY:O09AfNIEYsunZvZ19Zes
                                                                                        TLSH:E9A4BF01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                                                                        File Icon

                                                                                        Icon Hash:95694d05214c1b33

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x433b3a
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x6724916B [Fri Nov 1 08:29:31 2024 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:5
                                                                                        OS Version Minor:1
                                                                                        File Version Major:5
                                                                                        File Version Minor:1
                                                                                        Subsystem Version Major:5
                                                                                        Subsystem Version Minor:1
                                                                                        Import Hash:e77512f955eaf60ccff45e02d69234de

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        call 00007F345CE05013h
                                                                                        jmp 00007F345CE0496Fh
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        sub esp, 00000324h
                                                                                        push ebx
                                                                                        push 00000017h
                                                                                        call 00007F345CE26E49h
                                                                                        test eax, eax
                                                                                        je 00007F345CE04AF7h
                                                                                        mov ecx, dword ptr [ebp+08h]
                                                                                        int 29h
                                                                                        push 00000003h
                                                                                        call 00007F345CE04CB4h
                                                                                        mov dword ptr [esp], 000002CCh
                                                                                        lea eax, dword ptr [ebp-00000324h]
                                                                                        push 00000000h
                                                                                        push eax
                                                                                        call 00007F345CE06FCBh
                                                                                        add esp, 0Ch
                                                                                        mov dword ptr [ebp-00000274h], eax
                                                                                        mov dword ptr [ebp-00000278h], ecx
                                                                                        mov dword ptr [ebp-0000027Ch], edx
                                                                                        mov dword ptr [ebp-00000280h], ebx
                                                                                        mov dword ptr [ebp-00000284h], esi
                                                                                        mov dword ptr [ebp-00000288h], edi
                                                                                        mov word ptr [ebp-0000025Ch], ss
                                                                                        mov word ptr [ebp-00000268h], cs
                                                                                        mov word ptr [ebp-0000028Ch], ds
                                                                                        mov word ptr [ebp-00000290h], es
                                                                                        mov word ptr [ebp-00000294h], fs
                                                                                        mov word ptr [ebp-00000298h], gs
                                                                                        pushfd
                                                                                        pop dword ptr [ebp-00000264h]
                                                                                        mov eax, dword ptr [ebp+04h]
                                                                                        mov dword ptr [ebp-0000026Ch], eax
                                                                                        lea eax, dword ptr [ebp+04h]
                                                                                        mov dword ptr [ebp-00000260h], eax
                                                                                        mov dword ptr [ebp-00000324h], 00010001h
                                                                                        mov eax, dword ptr [eax-04h]
                                                                                        push 00000050h
                                                                                        mov dword ptr [ebp-00000270h], eax
                                                                                        lea eax, dword ptr [ebp-58h]
                                                                                        push 00000000h
                                                                                        push eax
                                                                                        call 00007F345CE06F41h

                                                                                        Rich Headers

                                                                                        Programming Language:
                                                                                        • [C++] VS2008 SP1 build 30729
                                                                                        • [IMP] VS2008 SP1 build 30729

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4b68.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b80.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x10000x55f1d0x5600030cda225e02a0d4dab478a6c7c094860False0.5738610555959303data6.62127843313247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rdata0x570000x18b000x18c009800e1a5325bb58aa054e318c8bb055aFalse0.49812578914141414OpenPGP Secret Key Version 65.758930104385571IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .data0x700000x5d6c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .rsrc0x760000x4b680x4c004600686f74e260300a8865d1e95aab9eFalse0.28546463815789475data3.9929686179035975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x7b0000x3b800x3c003a880743591ae3410d0dc26d7322ddd0False0.7569661458333333data6.695050823503309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                                                        RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                                                        RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                                                        RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                                                        RT_RCDATA0x7a5cc0x55cdata1.0080174927113703
                                                                                        RT_GROUP_ICON0x7ab280x3edataEnglishUnited States0.8064516129032258

                                                                                        Imports

                                                                                        DLLImport
                                                                                        KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                                                                        USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                                                                        GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                                                                        ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                                                                        SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                                                        ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                                                                        SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                                                                        WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                                                                        WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                                                                        urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                                                                        gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                                                                        WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                                                                        Possible Origin

                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        EnglishUnited States

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-12-19T14:32:10.889723+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549704192.169.69.262430TCP
                                                                                        2024-12-19T14:32:13.073323+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54970531.13.224.722439TCP
                                                                                        2024-12-19T14:32:15.901914+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549706178.237.33.5080TCP
                                                                                        2024-12-19T14:32:18.979562+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54970731.13.224.722439TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 19, 2024 14:32:00.453874111 CET497042430192.168.2.5192.169.69.26
                                                                                        Dec 19, 2024 14:32:00.573781013 CET243049704192.169.69.26192.168.2.5
                                                                                        Dec 19, 2024 14:32:00.573889971 CET497042430192.168.2.5192.169.69.26
                                                                                        Dec 19, 2024 14:32:00.581001043 CET497042430192.168.2.5192.169.69.26
                                                                                        Dec 19, 2024 14:32:00.702400923 CET243049704192.169.69.26192.168.2.5
                                                                                        Dec 19, 2024 14:32:10.889627934 CET243049704192.169.69.26192.168.2.5
                                                                                        Dec 19, 2024 14:32:10.889723063 CET497042430192.168.2.5192.169.69.26
                                                                                        Dec 19, 2024 14:32:10.889812946 CET497042430192.168.2.5192.169.69.26
                                                                                        Dec 19, 2024 14:32:11.010561943 CET243049704192.169.69.26192.168.2.5
                                                                                        Dec 19, 2024 14:32:11.202327967 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:11.322479963 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:11.322649002 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:11.326505899 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:11.446181059 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:13.019217014 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:13.073323011 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:13.253086090 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:13.261725903 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:13.381347895 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:13.381556988 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:13.501214981 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:13.930977106 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:13.932614088 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:14.052290916 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:14.194411993 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:14.245198965 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:14.385943890 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:14.400530100 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:32:14.402441978 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:14.432698965 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:14.520796061 CET8049706178.237.33.50192.168.2.5
                                                                                        Dec 19, 2024 14:32:14.520920992 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:32:14.521152020 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:32:14.522159100 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:14.522228003 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:14.525333881 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:14.640700102 CET8049706178.237.33.50192.168.2.5
                                                                                        Dec 19, 2024 14:32:14.644937992 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:15.901067019 CET8049706178.237.33.50192.168.2.5
                                                                                        Dec 19, 2024 14:32:15.901913881 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:32:15.927257061 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:16.047043085 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:16.885008097 CET8049706178.237.33.50192.168.2.5
                                                                                        Dec 19, 2024 14:32:16.885098934 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:32:18.926837921 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:18.979562044 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:19.166786909 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.199404955 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:19.319133043 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.319191933 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:19.438730001 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.882071972 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.882088900 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.882163048 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:19.885201931 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.885215998 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.885267973 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:19.888679028 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.888715029 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.888777971 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:19.891660929 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.891700029 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.891733885 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.891777992 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:19.898263931 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.898313046 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.898338079 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:19.908127069 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:19.908171892 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.003148079 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.057663918 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.073991060 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.074023962 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.074101925 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.077346087 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.080199957 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.080257893 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.090940952 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.090977907 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.091052055 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.102988005 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.103024006 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.103177071 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.107681990 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.107719898 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.107815981 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.110646963 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.112255096 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.112329006 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.116935968 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.117495060 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.117558002 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.124744892 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.125550032 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.125602961 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.133152962 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.133990049 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.134057045 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.141536951 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.142293930 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.142353058 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.149900913 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.150667906 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.150851965 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.177212000 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.178723097 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.178802967 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.181616068 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.229557037 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.282567978 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.285389900 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.285458088 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.285466909 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.288366079 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.288403034 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.288479090 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.291380882 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.291419029 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.291460991 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.293209076 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.293243885 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.293277979 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.295872927 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.295937061 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.297183990 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.302048922 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.302112103 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.302719116 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.309768915 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.309838057 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.310420036 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.317449093 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.317514896 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.318135023 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.322602987 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.322814941 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.323304892 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.327790976 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.327840090 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.328670979 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.332756042 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.332818031 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.333451033 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.337881088 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.337939978 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.339159012 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.343089104 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.343180895 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.343727112 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.348426104 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.348479033 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.349077940 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.353251934 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.353317022 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.354224920 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.358397007 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.358464003 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.359040022 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.363553047 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.363604069 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.364202976 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.368593931 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.368737936 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.369230032 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.373573065 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.373625040 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.374245882 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.378659010 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.378712893 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.379244089 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.405170918 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.405225039 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.406455040 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.407841921 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.407897949 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.409332037 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.412688971 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.412740946 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.413409948 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.417695999 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.417757034 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.456208944 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.456815004 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.456899881 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.458522081 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.459237099 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.459307909 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.463251114 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.464987993 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.465054035 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.465576887 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.469788074 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.469850063 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.470315933 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.474293947 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.474344015 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.474811077 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.478606939 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.478707075 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.479101896 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.482692003 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.482742071 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.483340979 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.486656904 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.486706018 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.487265110 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.490561008 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.490638971 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.491203070 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.494910955 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.494981050 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.495583057 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.501647949 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.501712084 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.502228022 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.502264023 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.502461910 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.504678011 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.505999088 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.506093979 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.507370949 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.509015083 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.509082079 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.509485006 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.512423992 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.512471914 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.513041019 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.515934944 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.515991926 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.516434908 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.519448042 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.519542933 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.520004034 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.522979975 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.523035049 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.523495913 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.526217937 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.526648998 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.526784897 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.529723883 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.529788971 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.530260086 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.533404112 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.533461094 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.533782005 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.535605907 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.535680056 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.536153078 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.537983894 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.538033962 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.538610935 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.545979977 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.546015024 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.546042919 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.547297955 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.547350883 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.547400951 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.549643040 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.549678087 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.549715996 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.552051067 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.552086115 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.552103996 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.554435015 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.554471016 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.554481983 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.556827068 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.556863070 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.556896925 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.559220076 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.559257030 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.559278965 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.561727047 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.561762094 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.561795950 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.564023018 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.564066887 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.564105034 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.566373110 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.566406965 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.566431046 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.620177031 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.648222923 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.648812056 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.648874998 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.649947882 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.650487900 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.650538921 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.651678085 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.652865887 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.652919054 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.654115915 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.655311108 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.655380011 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.656502008 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.657685041 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.657737970 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.657744884 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.660128117 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.660177946 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.661245108 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.662440062 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.662475109 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.662492990 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.665045977 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.665080070 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.665106058 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.667262077 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.667299032 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.667346954 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.669632912 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.669667006 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.669699907 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.672004938 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.672040939 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.672060966 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.674400091 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.674434900 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.674458981 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.676815033 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.676848888 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.676915884 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.679195881 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.679231882 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.679254055 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.681562901 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.681596994 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.681618929 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.684243917 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.684279919 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.684330940 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.686930895 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.686966896 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.686988115 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.689548969 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.689584017 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.689594984 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.692203045 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.692236900 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.692261934 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.692270994 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.692749977 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.694876909 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.694914103 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.694962978 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.697524071 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.697559118 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.697614908 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.700083017 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.700117111 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.700191975 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.702608109 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.702642918 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.702677965 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.702716112 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.705204964 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.705240965 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.705306053 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.707732916 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.707782984 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.707789898 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.710283995 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.710318089 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.710375071 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.712872028 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.712913036 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.712945938 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.715404034 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.715454102 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.715481043 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.715491056 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.715554953 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.718187094 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.718221903 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.718276978 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.720514059 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.720549107 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.720612049 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.723155022 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.723191023 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.723246098 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.725742102 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.725776911 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.725811958 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.725828886 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.728198051 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.728233099 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.728265047 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.730773926 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.730808973 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.730839014 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.733310938 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.733345985 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.733361006 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.735848904 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.735902071 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.735908031 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.738410950 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.738447905 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.738475084 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.738483906 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.738554955 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.740991116 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.741025925 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.741100073 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.743545055 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.743578911 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.743639946 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.746042967 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.746098042 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.746146917 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.748656988 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.748692036 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.748739004 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.751202106 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.751235962 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.751271009 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.751282930 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.753834009 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.753869057 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.753895998 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.756314993 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.756350994 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.756421089 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.758845091 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.758879900 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.758899927 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.761507034 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.761542082 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.761565924 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.761576891 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.761703014 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.763957977 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.763993979 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.764060020 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.766503096 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.766536951 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.766597986 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.769048929 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.769084930 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.769114017 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.769138098 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.823378086 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.840683937 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.841552973 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.841619015 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.842689037 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.842724085 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.842770100 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.844978094 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.846128941 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.846163034 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.846199989 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.848388910 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.848448038 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.849572897 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.849627972 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.849710941 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.851871014 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.851906061 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.851958990 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.854149103 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.854197025 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.854285002 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.856467962 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.856503010 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.856656075 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.858836889 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.858870983 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.859026909 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.861350060 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.861386061 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.861459970 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.863876104 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.863960981 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.864023924 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.866441965 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.866477966 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.866533995 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.868989944 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.869024992 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.869059086 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.869093895 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.871547937 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.871597052 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.871620893 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.874135971 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.874171019 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.874267101 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.876729012 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.876764059 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.876800060 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.879213095 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.879249096 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.879278898 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.879282951 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.879370928 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.881813049 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.881850004 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.881908894 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.884305000 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.884341002 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.884455919 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.886848927 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.886884928 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.886941910 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.889395952 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.889448881 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.889513016 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.891987085 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.892021894 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.892055988 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.892106056 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.894556999 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.894612074 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.894613028 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.897123098 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.897159100 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.897351980 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.899651051 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.899687052 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.899780035 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.902354002 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.902389050 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.902421951 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.902422905 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.902489901 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.904791117 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.904827118 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.904907942 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.907339096 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.907373905 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.907452106 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.909857988 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.909893036 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.909953117 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.912453890 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.912489891 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.912549019 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.915007114 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.915043116 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.915079117 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.915107965 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.917545080 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.917598009 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.917686939 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.920121908 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.920159101 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.920173883 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.922657967 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.922712088 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.922730923 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.925306082 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.925342083 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.925354958 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.927764893 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.927802086 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.927836895 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.927871943 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.927920103 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.930830002 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.930881023 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.930936098 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.933314085 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.933350086 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.933404922 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.935403109 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.935457945 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.935512066 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.937972069 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.938023090 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.938057899 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.938079119 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.940526009 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.940562010 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.940572023 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.943077087 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.943111897 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.943243027 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.945847988 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.945883989 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.945909023 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.948191881 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.948227882 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.948265076 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.950758934 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.950814009 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.950813055 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.950850964 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.950894117 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.953304052 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.953340054 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.953385115 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.955897093 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.955935955 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.955992937 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.958440065 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.958477974 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.958525896 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:20.961045027 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.961127996 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.961160898 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:20.961186886 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.010785103 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.032584906 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.033188105 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.033257961 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.034307957 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.034343004 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.034405947 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.036638975 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.037709951 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.037761927 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.038857937 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.038892984 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.038943052 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.041178942 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.041213989 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.041286945 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.043977022 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.044032097 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.044286013 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.045774937 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.045809031 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.045871019 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.048320055 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.048356056 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.048408985 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.050889015 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.050940990 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.050996065 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.053448915 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.053487062 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.053543091 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.055985928 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.056021929 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.056071043 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.056098938 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.058542013 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.058577061 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.058613062 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.061151028 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.061204910 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.061213970 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.063648939 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.063699007 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.063707113 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.066201925 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.066240072 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.066271067 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.068769932 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.068805933 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.068841934 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.068851948 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.069067001 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.071343899 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.071424007 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.071485996 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.073898077 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.073934078 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.073988914 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.076446056 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.076483011 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.076519012 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:21.076543093 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:21.120166063 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:23.411533117 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:23.531482935 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.531613111 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.531644106 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.531672001 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.531730890 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:23.531730890 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:23.531843901 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.531872988 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.531924009 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.531953096 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.532042027 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.532114983 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.651704073 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.651736021 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.651788950 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.651817083 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.651849985 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.651899099 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.652374029 CET24394970731.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:23.652472019 CET497072439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:34.898894072 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:32:34.927571058 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:32:35.047207117 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:33:05.028007984 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:33:05.029789925 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:33:05.149693966 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:33:35.189805984 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:33:35.196038008 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:33:35.316746950 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:34:04.246902943 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:34:04.651460886 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:34:05.310352087 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:34:05.311855078 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:34:05.338989019 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:34:05.431538105 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:34:06.651444912 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:34:09.151530027 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:34:14.151474953 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:34:23.885839939 CET4970680192.168.2.5178.237.33.50
                                                                                        Dec 19, 2024 14:34:35.377713919 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:34:35.379189014 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:34:35.498846054 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:35:05.456267118 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:35:05.457739115 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:35:05.577532053 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:35:35.566478968 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:35:35.570712090 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:35:35.692944050 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:36:05.706914902 CET24394970531.13.224.72192.168.2.5
                                                                                        Dec 19, 2024 14:36:05.712887049 CET497052439192.168.2.531.13.224.72
                                                                                        Dec 19, 2024 14:36:05.832484961 CET24394970531.13.224.72192.168.2.5

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 19, 2024 14:32:00.109236002 CET6080653192.168.2.51.1.1.1
                                                                                        Dec 19, 2024 14:32:00.440416098 CET53608061.1.1.1192.168.2.5
                                                                                        Dec 19, 2024 14:32:10.890847921 CET5231753192.168.2.51.1.1.1
                                                                                        Dec 19, 2024 14:32:11.201111078 CET53523171.1.1.1192.168.2.5
                                                                                        Dec 19, 2024 14:32:14.245032072 CET6009953192.168.2.51.1.1.1
                                                                                        Dec 19, 2024 14:32:14.384561062 CET53600991.1.1.1192.168.2.5

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Dec 19, 2024 14:32:00.109236002 CET192.168.2.51.1.1.10x48b5Standard query (0)kiolokgangan.duckdns.orgA (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 14:32:10.890847921 CET192.168.2.51.1.1.10xc2aaStandard query (0)apieconi.duckdns.orgA (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 14:32:14.245032072 CET192.168.2.51.1.1.10x1c15Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Dec 19, 2024 14:32:00.440416098 CET1.1.1.1192.168.2.50x48b5No error (0)kiolokgangan.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 14:32:11.201111078 CET1.1.1.1192.168.2.50xc2aaNo error (0)apieconi.duckdns.org31.13.224.72A (IP address)IN (0x0001)false
                                                                                        Dec 19, 2024 14:32:14.384561062 CET1.1.1.1192.168.2.50x1c15No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • geoplugin.net

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.549706178.237.33.50807312C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Dec 19, 2024 14:32:14.521152020 CET71OUTGET /json.gp HTTP/1.1
                                                                                        Host: geoplugin.net
                                                                                        Cache-Control: no-cache
                                                                                        Dec 19, 2024 14:32:15.901067019 CET1171INHTTP/1.1 200 OK
                                                                                        date: Thu, 19 Dec 2024 13:32:15 GMT
                                                                                        server: Apache
                                                                                        content-length: 963
                                                                                        content-type: application/json; charset=utf-8
                                                                                        cache-control: public, max-age=300
                                                                                        access-control-allow-origin: *
                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                        Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:08:31:59
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:493'056 bytes
                                                                                        MD5 hash:A3CFE4942B0EE84AB5A32698860F6EBF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2035636675.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2384822274.000000000050F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4485715444.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:08:32:20
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\wozewdtiejdgzxouhjfjtsesgjjw"
                                                                                        Imagebase:0x400000
                                                                                        File size:493'056 bytes
                                                                                        MD5 hash:A3CFE4942B0EE84AB5A32698860F6EBF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000000.2246689036.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:08:32:20
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\ginxwvekzrvlcdcyyuskefrjpqbxsxo"
                                                                                        Imagebase:0x400000
                                                                                        File size:493'056 bytes
                                                                                        MD5 hash:A3CFE4942B0EE84AB5A32698860F6EBF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000000.2247350941.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:08:32:20
                                                                                        Start date:19/12/2024
                                                                                        Path:C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rkshxopenznqmrrchfmehklsxwkgtifxyk"
                                                                                        Imagebase:0x400000
                                                                                        File size:493'056 bytes
                                                                                        MD5 hash:A3CFE4942B0EE84AB5A32698860F6EBF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000000.2248398049.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:4.8%
                                                                                          Dynamic/Decrypted Code Coverage:4.3%
                                                                                          Signature Coverage:19.7%
                                                                                          Total number of Nodes:1642
                                                                                          Total number of Limit Nodes:59
                                                                                          execution_graph 52137 41d4d0 52139 41d4e6 ctype ___scrt_fastfail 52137->52139 52138 41d6e3 52143 41d734 52138->52143 52153 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 52138->52153 52139->52138 52140 431f99 21 API calls 52139->52140 52146 41d696 ___scrt_fastfail 52140->52146 52142 41d6f4 52142->52143 52144 41d760 52142->52144 52154 431f99 52142->52154 52144->52143 52162 41d474 21 API calls ___scrt_fastfail 52144->52162 52146->52143 52147 431f99 21 API calls 52146->52147 52151 41d6be ___scrt_fastfail 52147->52151 52149 41d72d ___scrt_fastfail 52149->52143 52159 43264f 52149->52159 52151->52143 52152 431f99 21 API calls 52151->52152 52152->52138 52153->52142 52155 431fa3 52154->52155 52156 431fa7 52154->52156 52155->52149 52163 43a88c 52156->52163 52172 43256f 52159->52172 52161 432657 52161->52144 52162->52143 52165 446aff _strftime 52163->52165 52164 446b3d 52171 445354 20 API calls __dosmaperr 52164->52171 52165->52164 52167 446b28 RtlAllocateHeap 52165->52167 52170 442200 7 API calls 2 library calls 52165->52170 52167->52165 52168 431fac 52167->52168 52168->52149 52170->52165 52171->52168 52173 432588 52172->52173 52176 43257e 52172->52176 52174 431f99 21 API calls 52173->52174 52173->52176 52175 4325a9 52174->52175 52175->52176 52178 43293a CryptAcquireContextA 52175->52178 52176->52161 52179 432956 52178->52179 52180 43295b CryptGenRandom 52178->52180 52179->52176 52180->52179 52181 432970 CryptReleaseContext 52180->52181 52181->52179 52182 426030 52187 4260f7 recv 52182->52187 52188 426091 52193 42610e send 52188->52193 52194 425e56 52195 425e6b 52194->52195 52198 425f0b 52194->52198 52196 425f25 52195->52196 52197 425f5a 52195->52197 52195->52198 52199 425eb9 52195->52199 52200 425f77 52195->52200 52201 425f9e 52195->52201 52207 425eee 52195->52207 52222 424354 48 API calls ctype 52195->52222 52196->52197 52196->52198 52225 41f075 52 API calls 52196->52225 52197->52200 52226 424b7b 21 API calls 52197->52226 52199->52198 52199->52207 52223 41f075 52 API calls 52199->52223 52200->52198 52200->52201 52210 424f78 52200->52210 52201->52198 52227 4255c7 28 API calls 52201->52227 52207->52196 52207->52198 52224 424354 48 API calls ctype 52207->52224 52211 424f97 ___scrt_fastfail 52210->52211 52212 424fcb 52211->52212 52214 424fa6 52211->52214 52228 41e097 21 API calls 52211->52228 52212->52201 52214->52212 52221 424fab 52214->52221 52229 41fad4 45 API calls 52214->52229 52216 424fb4 52216->52212 52231 424185 21 API calls 2 library calls 52216->52231 52219 42504e 52219->52212 52220 431f99 21 API calls 52219->52220 52220->52221 52221->52212 52221->52216 52230 41cf6e 48 API calls 52221->52230 52222->52199 52223->52199 52224->52196 52225->52196 52226->52200 52227->52198 52228->52214 52229->52219 52230->52216 52231->52212 52232 1000c7a7 52233 1000c7be 52232->52233 52242 1000c82c 52232->52242 52233->52242 52244 1000c7e6 GetModuleHandleA 52233->52244 52235 1000c872 52236 1000c835 GetModuleHandleA 52238 1000c83f 52236->52238 52237 1000c7dd 52237->52238 52240 1000c800 GetProcAddress 52237->52240 52237->52242 52239 1000c85f GetProcAddress 52238->52239 52238->52242 52239->52242 52241 1000c80d VirtualProtect 52240->52241 52240->52242 52241->52242 52243 1000c81c VirtualProtect 52241->52243 52242->52235 52242->52236 52242->52238 52243->52242 52245 1000c7ef 52244->52245 52251 1000c82c 52244->52251 52256 1000c803 GetProcAddress 52245->52256 52247 1000c872 52248 1000c835 GetModuleHandleA 52253 1000c83f 52248->52253 52249 1000c7f4 52250 1000c800 GetProcAddress 52249->52250 52249->52251 52250->52251 52252 1000c80d VirtualProtect 52250->52252 52251->52247 52251->52248 52251->52253 52252->52251 52254 1000c81c VirtualProtect 52252->52254 52253->52251 52255 1000c85f GetProcAddress 52253->52255 52254->52251 52255->52251 52257 1000c82c 52256->52257 52258 1000c80d VirtualProtect 52256->52258 52260 1000c872 52257->52260 52261 1000c835 GetModuleHandleA 52257->52261 52258->52257 52259 1000c81c VirtualProtect 52258->52259 52259->52257 52263 1000c83f 52261->52263 52262 1000c85f GetProcAddress 52262->52263 52263->52257 52263->52262 52264 43a998 52265 43a9a4 _swprintf BuildCatchObjectHelperInternal 52264->52265 52266 43a9b2 52265->52266 52268 43a9dc 52265->52268 52280 445354 20 API calls __dosmaperr 52266->52280 52275 444acc EnterCriticalSection 52268->52275 52270 43a9b7 pre_c_initialization std::_Locinfo::_Locinfo_ctor 52271 43a9e7 52276 43aa88 52271->52276 52275->52271 52277 43aa96 52276->52277 52277->52277 52279 43a9f2 52277->52279 52282 448416 36 API calls 2 library calls 52277->52282 52281 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 52279->52281 52280->52270 52281->52270 52282->52277 52283 414dba 52298 41a51b 52283->52298 52285 414dc3 52308 401fbd 52285->52308 52290 4161f2 52331 401d8c 52290->52331 52293 4161fb 52294 401eea 11 API calls 52293->52294 52295 416207 52294->52295 52296 401eea 11 API calls 52295->52296 52297 416213 52296->52297 52299 41a529 52298->52299 52300 43a88c ___crtLCMapStringA 21 API calls 52299->52300 52301 41a533 InternetOpenW InternetOpenUrlW 52300->52301 52302 41a55c InternetReadFile 52301->52302 52305 41a57f 52302->52305 52304 41a5ac InternetCloseHandle InternetCloseHandle 52306 41a5be 52304->52306 52305->52302 52305->52304 52307 401eea 11 API calls 52305->52307 52337 401f86 52305->52337 52306->52285 52307->52305 52309 401fcc 52308->52309 52346 402501 52309->52346 52311 401fea 52312 404468 52311->52312 52313 40447b 52312->52313 52351 404be8 52313->52351 52315 404490 ctype 52316 404507 WaitForSingleObject 52315->52316 52317 4044e7 52315->52317 52319 40451d 52316->52319 52318 4044f9 send 52317->52318 52321 404542 52318->52321 52355 42051a 54 API calls 52319->52355 52323 401eea 11 API calls 52321->52323 52322 404530 SetEvent 52322->52321 52324 40454a 52323->52324 52325 401eea 11 API calls 52324->52325 52326 404552 52325->52326 52326->52290 52327 401eea 52326->52327 52328 4021b9 52327->52328 52329 4021e8 52328->52329 52361 40262e 52328->52361 52329->52290 52332 40200a 52331->52332 52336 40203a 52332->52336 52369 402654 52332->52369 52334 40202b 52372 4026ba 11 API calls _Deallocate 52334->52372 52336->52293 52338 401f8e 52337->52338 52341 402325 52338->52341 52340 401fa4 52340->52305 52342 40232f 52341->52342 52344 40233a 52342->52344 52345 40294a 28 API calls 52342->52345 52344->52340 52345->52344 52347 40250d 52346->52347 52349 40252b 52347->52349 52350 40261a 28 API calls 52347->52350 52349->52311 52350->52349 52352 404bf0 52351->52352 52356 404c0c 52352->52356 52354 404c06 52354->52315 52355->52322 52357 404c16 52356->52357 52359 404c21 52357->52359 52360 404d07 28 API calls 52357->52360 52359->52354 52360->52359 52364 402bee 52361->52364 52363 40263b 52363->52329 52365 402bfb 52364->52365 52366 402c08 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 52364->52366 52368 4015d8 11 API calls __Getctype 52365->52368 52366->52363 52368->52366 52373 402c1a 52369->52373 52372->52336 52376 403340 52373->52376 52378 403348 52376->52378 52377 402662 52377->52334 52378->52377 52380 4038c2 52378->52380 52383 4038cb 52380->52383 52384 401eea 11 API calls 52383->52384 52385 4038ca 52384->52385 52385->52378 52386 42ea1e 52387 42ea29 52386->52387 52388 42ea3d 52387->52388 52390 431fc3 52387->52390 52391 431fd2 52390->52391 52392 431fce 52390->52392 52394 43fcda 52391->52394 52392->52388 52395 44b9be 52394->52395 52396 44b9d6 52395->52396 52397 44b9cb 52395->52397 52399 44b9de 52396->52399 52405 44b9e7 _strftime 52396->52405 52413 446aff 21 API calls 3 library calls 52397->52413 52407 446ac5 52399->52407 52401 44ba11 RtlReAllocateHeap 52403 44b9d3 52401->52403 52401->52405 52402 44b9ec 52414 445354 20 API calls __dosmaperr 52402->52414 52403->52392 52405->52401 52405->52402 52415 442200 7 API calls 2 library calls 52405->52415 52408 446ad0 RtlFreeHeap 52407->52408 52409 446af9 _free 52407->52409 52408->52409 52410 446ae5 52408->52410 52409->52403 52416 445354 20 API calls __dosmaperr 52410->52416 52412 446aeb GetLastError 52412->52409 52413->52403 52414->52403 52415->52405 52416->52412 52417 402bcc 52418 402bd7 52417->52418 52419 402bdf 52417->52419 52425 403315 52418->52425 52421 402beb 52419->52421 52432 4015d3 52419->52432 52426 4015d3 22 API calls 52425->52426 52427 40332a 52426->52427 52428 402bdd 52427->52428 52429 40333b 52427->52429 52442 43a854 11 API calls _abort 52429->52442 52431 43a853 52434 43360d 52432->52434 52433 43a88c ___crtLCMapStringA 21 API calls 52433->52434 52434->52433 52435 402be9 52434->52435 52438 43362e std::_Facet_Register 52434->52438 52443 442200 7 API calls 2 library calls 52434->52443 52437 433dec std::_Facet_Register 52445 437bd7 RaiseException 52437->52445 52438->52437 52444 437bd7 RaiseException 52438->52444 52440 433e09 52442->52431 52443->52434 52444->52437 52445->52440 52446 4339be 52447 4339ca BuildCatchObjectHelperInternal 52446->52447 52478 4336b3 52447->52478 52449 4339d1 52450 433b24 52449->52450 52453 4339fb 52449->52453 52778 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 52450->52778 52452 433b2b 52779 4426be 28 API calls _abort 52452->52779 52463 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 52453->52463 52772 4434d1 5 API calls _ValidateLocalCookies 52453->52772 52455 433b31 52780 442670 28 API calls _abort 52455->52780 52458 433a14 52460 433a1a 52458->52460 52773 443475 5 API calls _ValidateLocalCookies 52458->52773 52459 433b39 52462 433a9b 52489 433c5e 52462->52489 52463->52462 52774 43edf4 35 API calls 2 library calls 52463->52774 52472 433abd 52472->52452 52473 433ac1 52472->52473 52474 433aca 52473->52474 52776 442661 28 API calls _abort 52473->52776 52777 433842 13 API calls 2 library calls 52474->52777 52477 433ad2 52477->52460 52479 4336bc 52478->52479 52781 433e0a IsProcessorFeaturePresent 52479->52781 52481 4336c8 52782 4379ee 10 API calls 3 library calls 52481->52782 52483 4336cd 52484 4336d1 52483->52484 52783 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 52483->52783 52484->52449 52486 4336da 52487 4336e8 52486->52487 52784 437a17 8 API calls 3 library calls 52486->52784 52487->52449 52785 436050 52489->52785 52492 433aa1 52493 443422 52492->52493 52787 44ddc9 52493->52787 52495 433aaa 52498 40d767 52495->52498 52496 44342b 52496->52495 52791 44e0d3 35 API calls 52496->52791 52793 41bce3 LoadLibraryA GetProcAddress 52498->52793 52500 40d783 GetModuleFileNameW 52798 40e168 52500->52798 52502 40d79f 52503 401fbd 28 API calls 52502->52503 52504 40d7ae 52503->52504 52505 401fbd 28 API calls 52504->52505 52506 40d7bd 52505->52506 52813 41afc3 52506->52813 52510 40d7cf 52511 401d8c 11 API calls 52510->52511 52512 40d7d8 52511->52512 52513 40d835 52512->52513 52514 40d7eb 52512->52514 52838 401d64 52513->52838 53083 40e986 111 API calls 52514->53083 52517 40d845 52520 401d64 28 API calls 52517->52520 52518 40d7fd 52519 401d64 28 API calls 52518->52519 52523 40d809 52519->52523 52521 40d864 52520->52521 52843 404cbf 52521->52843 53084 40e937 65 API calls 52523->53084 52524 40d873 52847 405ce6 52524->52847 52527 40d87f 52850 401eef 52527->52850 52528 40d824 53085 40e155 65 API calls 52528->53085 52531 40d88b 52532 401eea 11 API calls 52531->52532 52533 40d894 52532->52533 52536 401eea 11 API calls 52533->52536 52534 401eea 11 API calls 52535 40dc9f 52534->52535 52775 433c94 GetModuleHandleW 52535->52775 52537 40d89d 52536->52537 52538 401d64 28 API calls 52537->52538 52539 40d8a6 52538->52539 52854 401ebd 52539->52854 52541 40d8b1 52542 401d64 28 API calls 52541->52542 52543 40d8ca 52542->52543 52544 401d64 28 API calls 52543->52544 52546 40d8e5 52544->52546 52545 40d946 52547 401d64 28 API calls 52545->52547 52563 40e134 52545->52563 52546->52545 53086 4085b4 52546->53086 52554 40d95d 52547->52554 52549 40d912 52550 401eef 11 API calls 52549->52550 52551 40d91e 52550->52551 52552 401eea 11 API calls 52551->52552 52555 40d927 52552->52555 52553 40d9a4 52858 40bed7 52553->52858 52554->52553 52558 4124b7 3 API calls 52554->52558 53090 4124b7 RegOpenKeyExA 52555->53090 52557 40d9aa 52559 40d82d 52557->52559 52861 41a463 52557->52861 52564 40d988 52558->52564 52559->52534 52562 40d9c5 52565 40da18 52562->52565 52878 40697b 52562->52878 53178 412902 30 API calls 52563->53178 52564->52553 53093 412902 30 API calls 52564->53093 52567 401d64 28 API calls 52565->52567 52570 40da21 52567->52570 52579 40da32 52570->52579 52580 40da2d 52570->52580 52572 40e14a 53179 4112b5 64 API calls ___scrt_fastfail 52572->53179 52573 40d9e4 53094 40699d 30 API calls 52573->53094 52574 40d9ee 52578 401d64 28 API calls 52574->52578 52587 40d9f7 52578->52587 52584 401d64 28 API calls 52579->52584 53097 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 52580->53097 52581 40d9e9 53095 4064d0 97 API calls 52581->53095 52585 40da3b 52584->52585 52882 41ae08 52585->52882 52587->52565 52590 40da13 52587->52590 52588 40da46 52886 401e18 52588->52886 53096 4064d0 97 API calls 52590->53096 52591 40da51 52890 401e13 52591->52890 52594 40da5a 52595 401d64 28 API calls 52594->52595 52596 40da63 52595->52596 52597 401d64 28 API calls 52596->52597 52598 40da7d 52597->52598 52599 401d64 28 API calls 52598->52599 52600 40da97 52599->52600 52601 401d64 28 API calls 52600->52601 52603 40dab0 52601->52603 52602 40db1d 52605 40db2c 52602->52605 52611 40dcaa ___scrt_fastfail 52602->52611 52603->52602 52604 401d64 28 API calls 52603->52604 52609 40dac5 _wcslen 52604->52609 52606 40db35 52605->52606 52633 40dbb1 ___scrt_fastfail 52605->52633 52607 401d64 28 API calls 52606->52607 52608 40db3e 52607->52608 52610 401d64 28 API calls 52608->52610 52609->52602 52613 401d64 28 API calls 52609->52613 52612 40db50 52610->52612 53157 41265d RegOpenKeyExA 52611->53157 52616 401d64 28 API calls 52612->52616 52614 40dae0 52613->52614 52617 401d64 28 API calls 52614->52617 52618 40db62 52616->52618 52619 40daf5 52617->52619 52621 401d64 28 API calls 52618->52621 53098 40c89e 52619->53098 52620 40dcef 52622 401d64 28 API calls 52620->52622 52625 40db8b 52621->52625 52623 40dd16 52622->52623 52904 401f66 52623->52904 52630 401d64 28 API calls 52625->52630 52627 401e18 11 API calls 52629 40db14 52627->52629 52634 401e13 11 API calls 52629->52634 52631 40db9c 52630->52631 53155 40bc67 46 API calls _wcslen 52631->53155 52632 40dd25 52908 4126d2 RegCreateKeyA 52632->52908 52894 4128a2 52633->52894 52634->52602 52638 40dbac 52638->52633 52640 40dc45 ctype 52643 401d64 28 API calls 52640->52643 52641 401d64 28 API calls 52642 40dd47 52641->52642 52914 43a5e7 52642->52914 52644 40dc5c 52643->52644 52644->52620 52647 40dc70 52644->52647 52650 401d64 28 API calls 52647->52650 52648 40dd5e 53160 41beb0 87 API calls ___scrt_fastfail 52648->53160 52649 40dd81 52654 401f66 28 API calls 52649->52654 52652 40dc7e 52650->52652 52655 41ae08 28 API calls 52652->52655 52653 40dd65 CreateThread 52653->52649 54096 41c96f 10 API calls 52653->54096 52656 40dd96 52654->52656 52657 40dc87 52655->52657 52658 401f66 28 API calls 52656->52658 53156 40e219 119 API calls 52657->53156 52660 40dda5 52658->52660 52918 41a686 52660->52918 52661 40dc8c 52661->52620 52663 40dc93 52661->52663 52663->52559 52665 401d64 28 API calls 52666 40ddb6 52665->52666 52667 401d64 28 API calls 52666->52667 52668 40ddcb 52667->52668 52669 401d64 28 API calls 52668->52669 52670 40ddeb 52669->52670 52671 43a5e7 _strftime 39 API calls 52670->52671 52672 40ddf8 52671->52672 52673 401d64 28 API calls 52672->52673 52674 40de03 52673->52674 52675 401d64 28 API calls 52674->52675 52676 40de14 52675->52676 52677 401d64 28 API calls 52676->52677 52678 40de29 52677->52678 52679 401d64 28 API calls 52678->52679 52680 40de3a 52679->52680 52681 40de41 StrToIntA 52680->52681 52942 409517 52681->52942 52684 401d64 28 API calls 52685 40de5c 52684->52685 52686 40dea1 52685->52686 52687 40de68 52685->52687 52690 401d64 28 API calls 52686->52690 53161 43360d 22 API calls 3 library calls 52687->53161 52689 40de71 52691 401d64 28 API calls 52689->52691 52692 40deb1 52690->52692 52693 40de84 52691->52693 52695 40def9 52692->52695 52696 40debd 52692->52696 52694 40de8b CreateThread 52693->52694 52694->52686 54094 419128 109 API calls 2 library calls 52694->54094 52697 401d64 28 API calls 52695->52697 53162 43360d 22 API calls 3 library calls 52696->53162 52700 40df02 52697->52700 52699 40dec6 52701 401d64 28 API calls 52699->52701 52703 40df6c 52700->52703 52704 40df0e 52700->52704 52702 40ded8 52701->52702 52705 40dedf CreateThread 52702->52705 52706 401d64 28 API calls 52703->52706 52707 401d64 28 API calls 52704->52707 52705->52695 54093 419128 109 API calls 2 library calls 52705->54093 52708 40df75 52706->52708 52709 40df1e 52707->52709 52710 40df81 52708->52710 52711 40dfba 52708->52711 52712 401d64 28 API calls 52709->52712 52715 401d64 28 API calls 52710->52715 52967 41a7a2 GetComputerNameExW GetUserNameW 52711->52967 52713 40df33 52712->52713 53163 40c854 52713->53163 52716 40df8a 52715->52716 52721 401d64 28 API calls 52716->52721 52718 401e18 11 API calls 52720 40dfce 52718->52720 52723 401e13 11 API calls 52720->52723 52725 40df9f 52721->52725 52724 40dfd7 52723->52724 52727 40dfe0 SetProcessDEPPolicy 52724->52727 52728 40dfe3 CreateThread 52724->52728 52735 43a5e7 _strftime 39 API calls 52725->52735 52726 401e18 11 API calls 52729 40df52 52726->52729 52727->52728 52730 40e004 52728->52730 52731 40dff8 CreateThread 52728->52731 54065 40e54f 52728->54065 52732 401e13 11 API calls 52729->52732 52733 40e019 52730->52733 52734 40e00d CreateThread 52730->52734 52731->52730 54095 410f36 146 API calls 52731->54095 52736 40df5b CreateThread 52732->52736 52738 40e073 52733->52738 52740 401f66 28 API calls 52733->52740 52734->52733 54097 411524 38 API calls ___scrt_fastfail 52734->54097 52737 40dfac 52735->52737 52736->52703 54092 40196b 49 API calls _strftime 52736->54092 53174 40b95c 7 API calls 52737->53174 52978 41246e RegOpenKeyExA 52738->52978 52741 40e046 52740->52741 53175 404c9e 28 API calls 52741->53175 52745 40e053 52747 401f66 28 API calls 52745->52747 52746 40e12a 52990 40cbac 52746->52990 52748 40e062 52747->52748 52751 41a686 79 API calls 52748->52751 52750 41ae08 28 API calls 52753 40e0a4 52750->52753 52754 40e067 52751->52754 52981 412584 RegOpenKeyExW 52753->52981 52756 401eea 11 API calls 52754->52756 52756->52738 52759 401e13 11 API calls 52762 40e0c5 52759->52762 52760 40e0ed DeleteFileW 52761 40e0f4 52760->52761 52760->52762 52764 41ae08 28 API calls 52761->52764 52762->52760 52762->52761 52763 40e0db Sleep 52762->52763 53176 401e07 52763->53176 52766 40e104 52764->52766 52986 41297a RegOpenKeyExW 52766->52986 52768 40e117 52769 401e13 11 API calls 52768->52769 52770 40e121 52769->52770 52771 401e13 11 API calls 52770->52771 52771->52746 52772->52458 52773->52463 52774->52462 52775->52472 52776->52474 52777->52477 52778->52452 52779->52455 52780->52459 52781->52481 52782->52483 52783->52486 52784->52484 52786 433c71 GetStartupInfoW 52785->52786 52786->52492 52788 44dddb 52787->52788 52789 44ddd2 52787->52789 52788->52496 52792 44dcc8 48 API calls 4 library calls 52789->52792 52791->52496 52792->52788 52794 41bd22 LoadLibraryA GetProcAddress 52793->52794 52795 41bd12 GetModuleHandleA GetProcAddress 52793->52795 52796 41bd4b 32 API calls 52794->52796 52797 41bd3b LoadLibraryA GetProcAddress 52794->52797 52795->52794 52796->52500 52797->52796 53180 41a63f FindResourceA 52798->53180 52801 43a88c ___crtLCMapStringA 21 API calls 52802 40e192 ctype 52801->52802 52803 401f86 28 API calls 52802->52803 52804 40e1ad 52803->52804 52805 401eef 11 API calls 52804->52805 52806 40e1b8 52805->52806 52807 401eea 11 API calls 52806->52807 52808 40e1c1 52807->52808 52809 43a88c ___crtLCMapStringA 21 API calls 52808->52809 52810 40e1d2 ctype 52809->52810 53183 406052 52810->53183 52812 40e205 52812->52502 52833 41afd6 52813->52833 52814 41b046 52815 401eea 11 API calls 52814->52815 52816 41b078 52815->52816 52818 401eea 11 API calls 52816->52818 52817 41b048 52819 403b60 28 API calls 52817->52819 52821 41b080 52818->52821 52823 41b054 52819->52823 52822 401eea 11 API calls 52821->52822 52824 40d7c6 52822->52824 52825 401eef 11 API calls 52823->52825 52834 40e8bd 52824->52834 52827 41b05d 52825->52827 52826 401eef 11 API calls 52826->52833 52828 401eea 11 API calls 52827->52828 52830 41b065 52828->52830 52829 401eea 11 API calls 52829->52833 52831 41bfa9 28 API calls 52830->52831 52831->52814 52833->52814 52833->52817 52833->52826 52833->52829 53186 403b60 52833->53186 53189 41bfa9 52833->53189 52835 40e8ca 52834->52835 52837 40e8da 52835->52837 53239 40200a 11 API calls 52835->53239 52837->52510 52839 401d6c 52838->52839 52840 401d74 52839->52840 53240 401fff 28 API calls 52839->53240 52840->52517 52842 401d8b 52844 404ccb 52843->52844 53241 402e78 52844->53241 52846 404cee 52846->52524 53250 404bc4 52847->53250 52849 405cf4 52849->52527 52851 401efe 52850->52851 52853 401f0a 52851->52853 53259 4021b9 52851->53259 52853->52531 52856 401ec9 52854->52856 52855 401ee4 52855->52541 52856->52855 52857 402325 28 API calls 52856->52857 52857->52855 53263 401e8f 52858->53263 52860 40bee1 CreateMutexA GetLastError 52860->52557 53265 41b15b 52861->53265 52863 41a471 53269 412513 RegOpenKeyExA 52863->53269 52866 401eef 11 API calls 52867 41a49f 52866->52867 52868 401eea 11 API calls 52867->52868 52869 41a4a7 52868->52869 52870 41a4fa 52869->52870 52871 412513 31 API calls 52869->52871 52870->52562 52872 41a4cd 52871->52872 52873 41a4d8 StrToIntA 52872->52873 52874 41a4ef 52873->52874 52875 41a4e6 52873->52875 52877 401eea 11 API calls 52874->52877 53274 41c102 22 API calls 52875->53274 52877->52870 52879 40698f 52878->52879 52880 4124b7 3 API calls 52879->52880 52881 406996 52880->52881 52881->52573 52881->52574 52883 41ae1c 52882->52883 53275 40b027 52883->53275 52885 41ae24 52885->52588 52887 401e27 52886->52887 52889 401e33 52887->52889 53284 402121 11 API calls 52887->53284 52889->52591 52891 402121 52890->52891 52892 402150 52891->52892 53285 402718 11 API calls _Deallocate 52891->53285 52892->52594 52895 4128c0 52894->52895 52896 406052 28 API calls 52895->52896 52897 4128d5 52896->52897 52898 401fbd 28 API calls 52897->52898 52899 4128e5 52898->52899 52900 4126d2 14 API calls 52899->52900 52901 4128ef 52900->52901 52902 401eea 11 API calls 52901->52902 52903 4128fc 52902->52903 52903->52640 52905 401f6e 52904->52905 53286 402301 52905->53286 52909 412722 52908->52909 52911 4126eb 52908->52911 52910 401eea 11 API calls 52909->52910 52912 40dd3b 52910->52912 52913 4126fd RegSetValueExA RegCloseKey 52911->52913 52912->52641 52913->52909 52915 43a600 _strftime 52914->52915 53290 43993e 52915->53290 52917 40dd54 52917->52648 52917->52649 52919 41a737 52918->52919 52920 41a69c GetLocalTime 52918->52920 52922 401eea 11 API calls 52919->52922 52921 404cbf 28 API calls 52920->52921 52923 41a6de 52921->52923 52924 41a73f 52922->52924 52925 405ce6 28 API calls 52923->52925 52926 401eea 11 API calls 52924->52926 52927 41a6ea 52925->52927 52928 40ddaa 52926->52928 53318 4027cb 52927->53318 52928->52665 52930 41a6f6 52931 405ce6 28 API calls 52930->52931 52932 41a702 52931->52932 53321 406478 76 API calls 52932->53321 52934 41a710 52935 401eea 11 API calls 52934->52935 52936 41a71c 52935->52936 52937 401eea 11 API calls 52936->52937 52938 41a725 52937->52938 52939 401eea 11 API calls 52938->52939 52940 41a72e 52939->52940 52941 401eea 11 API calls 52940->52941 52941->52919 52943 409536 _wcslen 52942->52943 52944 409541 52943->52944 52945 409558 52943->52945 52947 40c89e 32 API calls 52944->52947 52946 40c89e 32 API calls 52945->52946 52948 409560 52946->52948 52949 409549 52947->52949 52950 401e18 11 API calls 52948->52950 52951 401e18 11 API calls 52949->52951 52952 40956e 52950->52952 52953 409553 52951->52953 52954 401e13 11 API calls 52952->52954 52956 401e13 11 API calls 52953->52956 52955 409576 52954->52955 53341 40856b 28 API calls 52955->53341 52957 4095ad 52956->52957 53326 409837 52957->53326 52960 409588 53342 4028cf 52960->53342 52963 409593 52964 401e18 11 API calls 52963->52964 52965 40959d 52964->52965 52966 401e13 11 API calls 52965->52966 52966->52953 53368 403b40 52967->53368 52971 41a7fd 52972 4028cf 28 API calls 52971->52972 52973 41a807 52972->52973 52974 401e13 11 API calls 52973->52974 52975 41a810 52974->52975 52976 401e13 11 API calls 52975->52976 52977 40dfc3 52976->52977 52977->52718 52979 40e08b 52978->52979 52980 41248f RegQueryValueExA RegCloseKey 52978->52980 52979->52746 52979->52750 52980->52979 52982 4125b0 RegQueryValueExW RegCloseKey 52981->52982 52983 4125dd 52981->52983 52982->52983 52984 403b40 28 API calls 52983->52984 52985 40e0ba 52984->52985 52985->52759 52987 412992 RegDeleteValueW 52986->52987 52988 4129a6 52986->52988 52987->52988 52989 4129a2 52987->52989 52988->52768 52989->52768 52991 40cbc5 52990->52991 52992 41246e 3 API calls 52991->52992 52993 40cbcc 52992->52993 52997 40cbeb 52993->52997 53395 401602 52993->53395 52995 40cbd9 53398 4127d5 RegCreateKeyA 52995->53398 52998 413fd4 52997->52998 52999 413feb 52998->52999 53412 41aa73 52999->53412 53001 413ff6 53002 401d64 28 API calls 53001->53002 53003 41400f 53002->53003 53004 43a5e7 _strftime 39 API calls 53003->53004 53005 41401c 53004->53005 53006 414021 Sleep 53005->53006 53007 41402e 53005->53007 53006->53007 53008 401f66 28 API calls 53007->53008 53009 41403d 53008->53009 53010 401d64 28 API calls 53009->53010 53011 41404b 53010->53011 53012 401fbd 28 API calls 53011->53012 53013 414053 53012->53013 53014 41afc3 28 API calls 53013->53014 53015 41405b 53014->53015 53416 404262 WSAStartup 53015->53416 53017 414065 53018 401d64 28 API calls 53017->53018 53019 41406e 53018->53019 53020 401d64 28 API calls 53019->53020 53082 4140ed 53019->53082 53021 414087 53020->53021 53024 401d64 28 API calls 53021->53024 53022 401d64 28 API calls 53022->53082 53023 401fbd 28 API calls 53023->53082 53025 414098 53024->53025 53027 401d64 28 API calls 53025->53027 53026 41afc3 28 API calls 53026->53082 53028 4140a9 53027->53028 53029 401d64 28 API calls 53028->53029 53031 4140ba 53029->53031 53030 4085b4 28 API calls 53030->53082 53033 401d64 28 API calls 53031->53033 53032 401eef 11 API calls 53032->53082 53034 4140cb 53033->53034 53035 401d64 28 API calls 53034->53035 53036 4140dd 53035->53036 53556 404101 88 API calls 53036->53556 53039 414244 WSAGetLastError 53557 41bc76 30 API calls 53039->53557 53046 404cbf 28 API calls 53046->53082 53047 401d8c 11 API calls 53047->53082 53048 401d64 28 API calls 53049 414b68 53048->53049 53049->53048 53050 43a5e7 _strftime 39 API calls 53049->53050 53051 414b80 Sleep 53050->53051 53051->53082 53052 405ce6 28 API calls 53052->53082 53053 4027cb 28 API calls 53053->53082 53054 401f66 28 API calls 53054->53082 53057 4082dc 28 API calls 53057->53082 53059 41265d 3 API calls 53059->53082 53060 412513 31 API calls 53060->53082 53061 403b40 28 API calls 53061->53082 53064 401d64 28 API calls 53065 4144ed GetTickCount 53064->53065 53523 41ad46 53065->53523 53068 41ad46 28 API calls 53068->53082 53071 41aec8 28 API calls 53071->53082 53073 40275c 28 API calls 53073->53082 53074 404468 61 API calls 53074->53082 53075 401eea 11 API calls 53075->53082 53076 401e13 11 API calls 53076->53082 53078 414ae4 53559 40a767 84 API calls 53078->53559 53080 41a686 79 API calls 53080->53082 53081 414b22 CreateThread 53081->53082 54047 419e89 105 API calls 53081->54047 53082->53022 53082->53023 53082->53026 53082->53030 53082->53032 53082->53039 53082->53046 53082->53047 53082->53049 53082->53052 53082->53053 53082->53054 53082->53057 53082->53059 53082->53060 53082->53061 53082->53064 53082->53068 53082->53071 53082->53073 53082->53074 53082->53075 53082->53076 53082->53078 53082->53080 53082->53081 53417 413f9a 53082->53417 53422 4041f1 53082->53422 53429 404915 53082->53429 53444 40428c connect 53082->53444 53504 41a96d 53082->53504 53507 413683 53082->53507 53510 440c51 53082->53510 53514 40cbf1 53082->53514 53520 41adee 53082->53520 53528 41aca0 GetLastInputInfo GetTickCount 53082->53528 53529 41ac52 53082->53529 53534 40e679 GetLocaleInfoA 53082->53534 53537 4027ec 53082->53537 53541 4045d5 53082->53541 53558 404c9e 28 API calls 53082->53558 53560 4047eb WaitForSingleObject 53082->53560 53083->52518 53084->52528 53087 4085c0 53086->53087 53088 402e78 28 API calls 53087->53088 53089 4085e4 53088->53089 53089->52549 53091 4124e1 RegQueryValueExA RegCloseKey 53090->53091 53092 41250b 53090->53092 53091->53092 53092->52545 53093->52553 53094->52581 53095->52574 53096->52565 53097->52579 53099 40c8ba 53098->53099 53100 40c8da 53099->53100 53101 40c90f 53099->53101 53102 40c8d0 53099->53102 54059 41a74b 29 API calls 53100->54059 53105 41b15b 2 API calls 53101->53105 53104 40ca03 GetLongPathNameW 53102->53104 53107 403b40 28 API calls 53104->53107 53108 40c914 53105->53108 53106 40c8e3 53109 401e18 11 API calls 53106->53109 53110 40ca18 53107->53110 53111 40c918 53108->53111 53112 40c96a 53108->53112 53113 40c8ed 53109->53113 53114 403b40 28 API calls 53110->53114 53116 403b40 28 API calls 53111->53116 53115 403b40 28 API calls 53112->53115 53120 401e13 11 API calls 53113->53120 53118 40ca27 53114->53118 53119 40c978 53115->53119 53117 40c926 53116->53117 53125 403b40 28 API calls 53117->53125 54048 40cc37 53118->54048 53124 403b40 28 API calls 53119->53124 53120->53102 53127 40c98e 53124->53127 53128 40c93c 53125->53128 53126 40ca45 53129 402860 28 API calls 53126->53129 53130 402860 28 API calls 53127->53130 53131 402860 28 API calls 53128->53131 53132 40ca4f 53129->53132 53133 40c999 53130->53133 53134 40c947 53131->53134 53135 401e13 11 API calls 53132->53135 53136 401e18 11 API calls 53133->53136 53137 401e18 11 API calls 53134->53137 53138 40ca59 53135->53138 53139 40c9a4 53136->53139 53140 40c952 53137->53140 53141 401e13 11 API calls 53138->53141 53142 401e13 11 API calls 53139->53142 53143 401e13 11 API calls 53140->53143 53144 40ca62 53141->53144 53145 40c9ad 53142->53145 53146 40c95b 53143->53146 53147 401e13 11 API calls 53144->53147 53148 401e13 11 API calls 53145->53148 53149 401e13 11 API calls 53146->53149 53150 40ca6b 53147->53150 53148->53113 53149->53113 53151 401e13 11 API calls 53150->53151 53152 40ca74 53151->53152 53153 401e13 11 API calls 53152->53153 53154 40ca7d 53153->53154 53154->52627 53155->52638 53156->52661 53158 412683 RegQueryValueExA RegCloseKey 53157->53158 53159 4126a7 53157->53159 53158->53159 53159->52620 53160->52653 53161->52689 53162->52699 53164 401f66 28 API calls 53163->53164 53165 40c86b 53164->53165 53166 41ae08 28 API calls 53165->53166 53167 40c876 53166->53167 53168 40c89e 32 API calls 53167->53168 53169 40c887 53168->53169 53170 401e13 11 API calls 53169->53170 53171 40c890 53170->53171 53172 401eea 11 API calls 53171->53172 53173 40c898 53172->53173 53173->52726 53174->52711 53175->52745 53177 401e0c 53176->53177 53178->52572 53181 40e183 53180->53181 53182 41a65c LoadResource LockResource SizeofResource 53180->53182 53181->52801 53182->53181 53184 401f86 28 API calls 53183->53184 53185 406066 53184->53185 53185->52812 53196 403c30 53186->53196 53190 41bfae 53189->53190 53191 41bfd2 53190->53191 53192 41bfcb 53190->53192 53212 41c552 53191->53212 53231 41bfe3 28 API calls 53192->53231 53194 41bfd0 53194->52833 53197 403c39 53196->53197 53200 403c59 53197->53200 53201 403c68 53200->53201 53206 4032a4 53201->53206 53203 403c74 53204 402325 28 API calls 53203->53204 53205 403b73 53204->53205 53205->52833 53207 4032b0 53206->53207 53208 4032ad 53206->53208 53211 4032b6 22 API calls 53207->53211 53208->53203 53213 41c55c __EH_prolog 53212->53213 53214 41c673 53213->53214 53215 41c595 53213->53215 53238 402649 22 API calls std::_Xinvalid_argument 53214->53238 53232 4026a7 28 API calls 53215->53232 53219 41c5a9 53233 41c536 28 API calls 53219->53233 53221 41c5dc 53222 41c603 53221->53222 53223 41c5f7 53221->53223 53235 41c7cf 11 API calls 53222->53235 53234 41c7b2 11 API calls 53223->53234 53226 41c601 53237 41c75a 11 API calls 53226->53237 53227 41c60f 53236 41c7cf 11 API calls 53227->53236 53230 41c63e 53230->53194 53231->53194 53232->53219 53233->53221 53234->53226 53235->53227 53236->53226 53237->53230 53239->52837 53240->52842 53243 402e85 53241->53243 53242 402ea9 53242->52846 53243->53242 53244 402e98 53243->53244 53246 402eae 53243->53246 53248 403445 28 API calls 53244->53248 53246->53242 53249 40225b 11 API calls 53246->53249 53248->53242 53249->53242 53251 404bd0 53250->53251 53254 40245c 53251->53254 53253 404be4 53253->52849 53255 402469 53254->53255 53257 402478 53255->53257 53258 402ad3 28 API calls 53255->53258 53257->53253 53258->53257 53261 4021c6 53259->53261 53260 4021e8 53260->52853 53261->53260 53262 40262e 11 API calls 53261->53262 53262->53260 53264 401e94 53263->53264 53266 41b183 53265->53266 53267 41b168 GetCurrentProcess IsWow64Process 53265->53267 53266->52863 53267->53266 53268 41b17f 53267->53268 53268->52863 53270 412541 RegQueryValueExA RegCloseKey 53269->53270 53271 412569 53269->53271 53270->53271 53272 401f66 28 API calls 53271->53272 53273 41257e 53272->53273 53273->52866 53274->52874 53276 40b02f 53275->53276 53279 40b04b 53276->53279 53278 40b045 53278->52885 53280 40b055 53279->53280 53282 40b060 53280->53282 53283 40b138 28 API calls 53280->53283 53282->53278 53283->53282 53284->52889 53285->52892 53287 40230d 53286->53287 53288 402325 28 API calls 53287->53288 53289 401f80 53288->53289 53289->52632 53306 43a545 53290->53306 53292 43998b 53312 4392de 35 API calls 3 library calls 53292->53312 53293 439950 53293->53292 53294 439965 53293->53294 53305 43996a pre_c_initialization 53293->53305 53311 445354 20 API calls __dosmaperr 53294->53311 53298 439997 53299 4399c6 53298->53299 53313 43a58a 39 API calls __Tolower 53298->53313 53300 439a32 53299->53300 53314 43a4f1 20 API calls 2 library calls 53299->53314 53315 43a4f1 20 API calls 2 library calls 53300->53315 53303 439af9 _strftime 53303->53305 53316 445354 20 API calls __dosmaperr 53303->53316 53305->52917 53307 43a54a 53306->53307 53308 43a55d 53306->53308 53317 445354 20 API calls __dosmaperr 53307->53317 53308->53293 53310 43a54f pre_c_initialization 53310->53293 53311->53305 53312->53298 53313->53298 53314->53300 53315->53303 53316->53305 53317->53310 53322 401e9b 53318->53322 53320 4027d9 53320->52930 53321->52934 53323 401ea7 53322->53323 53324 40245c 28 API calls 53323->53324 53325 401eb9 53324->53325 53325->53320 53327 409855 53326->53327 53328 4124b7 3 API calls 53327->53328 53329 40985c 53328->53329 53330 409870 53329->53330 53331 40988a 53329->53331 53332 4095cf 53330->53332 53333 409875 53330->53333 53334 4082dc 28 API calls 53331->53334 53332->52684 53345 4082dc 53333->53345 53336 409898 53334->53336 53350 4098a5 85 API calls 53336->53350 53340 409888 53340->53332 53341->52960 53359 402d8b 53342->53359 53344 4028dd 53344->52963 53346 4082eb 53345->53346 53351 408431 53346->53351 53348 408309 53349 409959 29 API calls 53348->53349 53349->53340 53356 40999f 130 API calls 53349->53356 53350->53332 53357 4099b5 53 API calls 53350->53357 53358 4099a9 125 API calls 53350->53358 53352 40843d 53351->53352 53354 40845b 53352->53354 53355 402f0d 28 API calls 53352->53355 53354->53348 53355->53354 53360 402d97 53359->53360 53363 4030f7 53360->53363 53362 402dab 53362->53344 53364 403101 53363->53364 53366 403115 53364->53366 53367 4036c2 28 API calls 53364->53367 53366->53362 53367->53366 53369 403b48 53368->53369 53375 403b7a 53369->53375 53372 403cbb 53384 403dc2 53372->53384 53374 403cc9 53374->52971 53376 403b86 53375->53376 53379 403b9e 53376->53379 53378 403b5a 53378->53372 53380 403ba8 53379->53380 53382 403bb3 53380->53382 53383 403cfd 28 API calls 53380->53383 53382->53378 53383->53382 53385 403dce 53384->53385 53388 402ffd 53385->53388 53387 403de3 53387->53374 53389 40300e 53388->53389 53390 4032a4 22 API calls 53389->53390 53391 40301a 53390->53391 53393 40302e 53391->53393 53394 4035e8 28 API calls 53391->53394 53393->53387 53394->53393 53401 4395ba 53395->53401 53399 412814 53398->53399 53400 4127ed RegSetValueExA RegCloseKey 53398->53400 53399->52997 53400->53399 53404 43953b 53401->53404 53403 401608 53403->52995 53405 43954a 53404->53405 53406 43955e 53404->53406 53410 445354 20 API calls __dosmaperr 53405->53410 53408 43954f pre_c_initialization __alldvrm 53406->53408 53411 447601 11 API calls 2 library calls 53406->53411 53408->53403 53410->53408 53411->53408 53413 41aab9 ctype ___scrt_fastfail 53412->53413 53414 401f66 28 API calls 53413->53414 53415 41ab2e 53414->53415 53415->53001 53416->53017 53418 413fb3 getaddrinfo WSASetLastError 53417->53418 53419 413fa9 53417->53419 53418->53082 53574 413e37 29 API calls ___std_exception_copy 53419->53574 53421 413fae 53421->53418 53423 404206 socket 53422->53423 53424 4041fd 53422->53424 53425 404220 53423->53425 53426 404224 CreateEventW 53423->53426 53575 404262 WSAStartup 53424->53575 53425->53082 53426->53082 53428 404202 53428->53423 53428->53425 53430 4049b1 53429->53430 53431 40492a 53429->53431 53430->53082 53432 404933 53431->53432 53433 404987 CreateEventA CreateThread 53431->53433 53434 404942 GetLocalTime 53431->53434 53432->53433 53433->53430 53577 404b1d 53433->53577 53435 41ad46 28 API calls 53434->53435 53436 40495b 53435->53436 53576 404c9e 28 API calls 53436->53576 53438 404968 53439 401f66 28 API calls 53438->53439 53440 404977 53439->53440 53441 41a686 79 API calls 53440->53441 53442 40497c 53441->53442 53443 401eea 11 API calls 53442->53443 53443->53433 53445 4043e1 53444->53445 53446 4042b3 53444->53446 53447 404343 53445->53447 53448 4043e7 WSAGetLastError 53445->53448 53446->53447 53449 4042e8 53446->53449 53452 404cbf 28 API calls 53446->53452 53447->53082 53448->53447 53450 4043f7 53448->53450 53581 420151 27 API calls 53449->53581 53453 4042f7 53450->53453 53454 4043fc 53450->53454 53456 4042d4 53452->53456 53460 401f66 28 API calls 53453->53460 53592 41bc76 30 API calls 53454->53592 53455 4042f0 53455->53453 53459 404306 53455->53459 53461 401f66 28 API calls 53456->53461 53458 40440b 53593 404c9e 28 API calls 53458->53593 53469 404315 53459->53469 53470 40434c 53459->53470 53463 404448 53460->53463 53464 4042e3 53461->53464 53467 401f66 28 API calls 53463->53467 53465 41a686 79 API calls 53464->53465 53465->53449 53466 404418 53468 401f66 28 API calls 53466->53468 53471 404457 53467->53471 53472 404427 53468->53472 53474 401f66 28 API calls 53469->53474 53589 420f34 54 API calls 53470->53589 53475 41a686 79 API calls 53471->53475 53476 41a686 79 API calls 53472->53476 53478 404324 53474->53478 53475->53447 53479 40442c 53476->53479 53477 404354 53480 404389 53477->53480 53481 404359 53477->53481 53482 401f66 28 API calls 53478->53482 53484 401eea 11 API calls 53479->53484 53591 4202ea 28 API calls 53480->53591 53485 401f66 28 API calls 53481->53485 53486 404333 53482->53486 53484->53447 53488 404368 53485->53488 53489 41a686 79 API calls 53486->53489 53487 404391 53490 4043be CreateEventW CreateEventW 53487->53490 53493 401f66 28 API calls 53487->53493 53491 401f66 28 API calls 53488->53491 53492 404338 53489->53492 53490->53447 53494 404377 53491->53494 53582 420191 53492->53582 53496 4043a7 53493->53496 53497 41a686 79 API calls 53494->53497 53498 401f66 28 API calls 53496->53498 53499 40437c 53497->53499 53500 4043b6 53498->53500 53590 420592 52 API calls 53499->53590 53502 41a686 79 API calls 53500->53502 53503 4043bb 53502->53503 53503->53490 53596 41a945 GlobalMemoryStatusEx 53504->53596 53506 41a982 53506->53082 53597 413646 53507->53597 53511 440c5d 53510->53511 53635 440a4d 53511->53635 53513 440c7e 53513->53082 53515 40cc0d 53514->53515 53516 41246e 3 API calls 53515->53516 53518 40cc14 53516->53518 53517 40cc2c 53517->53082 53518->53517 53519 4124b7 3 API calls 53518->53519 53519->53517 53521 401f86 28 API calls 53520->53521 53522 41ae03 53521->53522 53522->53082 53524 440c51 20 API calls 53523->53524 53525 41ad67 53524->53525 53526 401f66 28 API calls 53525->53526 53527 41ad75 53526->53527 53527->53082 53528->53082 53530 436050 ___scrt_fastfail 53529->53530 53531 41ac71 GetForegroundWindow GetWindowTextW 53530->53531 53532 403b40 28 API calls 53531->53532 53533 41ac9b 53532->53533 53533->53082 53535 401f66 28 API calls 53534->53535 53536 40e69e 53535->53536 53536->53082 53538 4027f8 53537->53538 53539 402e78 28 API calls 53538->53539 53540 402814 53539->53540 53540->53082 53544 4045ec 53541->53544 53542 43a88c ___crtLCMapStringA 21 API calls 53542->53544 53544->53542 53545 401f86 28 API calls 53544->53545 53546 404666 53544->53546 53547 401eef 11 API calls 53544->53547 53550 401eea 11 API calls 53544->53550 53640 40455b 53544->53640 53646 404688 53544->53646 53545->53544 53548 4047eb 98 API calls 53546->53548 53547->53544 53549 40466d 53548->53549 53551 401eea 11 API calls 53549->53551 53550->53544 53552 404676 53551->53552 53553 401eea 11 API calls 53552->53553 53554 40467f 53553->53554 53554->53082 53556->53082 53557->53082 53558->53082 53559->53082 53561 404805 SetEvent CloseHandle 53560->53561 53562 40481c closesocket 53560->53562 53563 40489c 53561->53563 53564 404829 53562->53564 53563->53082 53565 404838 53564->53565 53566 40483f 53564->53566 54046 404ab1 83 API calls 53565->54046 53567 404851 WaitForSingleObject 53566->53567 53568 404892 SetEvent CloseHandle 53566->53568 53570 420191 3 API calls 53567->53570 53568->53563 53571 404860 SetEvent WaitForSingleObject 53570->53571 53572 420191 3 API calls 53571->53572 53573 404878 SetEvent CloseHandle CloseHandle 53572->53573 53573->53568 53574->53421 53575->53428 53576->53438 53580 404b29 101 API calls 53577->53580 53579 404b26 53580->53579 53581->53455 53583 41dc15 53582->53583 53584 420199 53582->53584 53585 41dc23 53583->53585 53594 41cd69 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53583->53594 53584->53447 53595 41d950 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53585->53595 53588 41dc2a 53589->53477 53590->53492 53591->53487 53592->53458 53593->53466 53594->53585 53595->53588 53596->53506 53600 413619 53597->53600 53601 41362e ___scrt_initialize_default_local_stdio_options 53600->53601 53604 43e2dd 53601->53604 53607 43b030 53604->53607 53608 43b070 53607->53608 53609 43b058 53607->53609 53608->53609 53611 43b078 53608->53611 53629 445354 20 API calls __dosmaperr 53609->53629 53630 4392de 35 API calls 3 library calls 53611->53630 53612 43b05d pre_c_initialization 53622 433d2c 53612->53622 53614 43b088 53631 43b7b6 20 API calls 2 library calls 53614->53631 53617 41363c 53617->53082 53618 43b100 53632 43be24 50 API calls 3 library calls 53618->53632 53621 43b10b 53633 43b820 20 API calls _free 53621->53633 53623 433d37 IsProcessorFeaturePresent 53622->53623 53624 433d35 53622->53624 53626 4341a4 53623->53626 53624->53617 53634 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53626->53634 53628 434287 53628->53617 53629->53612 53630->53614 53631->53618 53632->53621 53633->53612 53634->53628 53636 440a64 53635->53636 53638 440a9b pre_c_initialization 53636->53638 53639 445354 20 API calls __dosmaperr 53636->53639 53638->53513 53639->53638 53641 404592 recv 53640->53641 53642 404565 WaitForSingleObject 53640->53642 53644 4045a5 53641->53644 53659 420556 54 API calls 53642->53659 53644->53544 53645 404581 SetEvent 53645->53644 53649 4046a3 53646->53649 53647 4047d8 53648 401eea 11 API calls 53647->53648 53650 4047e1 53648->53650 53649->53647 53651 401eef 11 API calls 53649->53651 53652 401eea 11 API calls 53649->53652 53653 401fbd 28 API calls 53649->53653 53654 401ebd 28 API calls 53649->53654 53656 403b60 28 API calls 53649->53656 53658 402654 11 API calls 53649->53658 53660 411b60 53649->53660 53650->53544 53651->53649 53652->53649 53653->53649 53655 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 53654->53655 53655->53649 53964 414b9b 53655->53964 53656->53649 53658->53649 53659->53645 53661 411b72 53660->53661 53662 403b60 28 API calls 53661->53662 53663 411b85 53662->53663 53664 401fbd 28 API calls 53663->53664 53665 411b94 53664->53665 53666 401fbd 28 API calls 53665->53666 53667 411ba3 53666->53667 53668 41afc3 28 API calls 53667->53668 53669 411bac 53668->53669 53670 411c60 53669->53670 53672 401d64 28 API calls 53669->53672 53671 401d8c 11 API calls 53670->53671 53673 411c69 53671->53673 53674 411bc8 53672->53674 53675 401eea 11 API calls 53673->53675 53676 401fbd 28 API calls 53674->53676 53677 411c72 53675->53677 53678 411bd0 53676->53678 53679 401eea 11 API calls 53677->53679 53680 401d64 28 API calls 53678->53680 53682 411c7a 53679->53682 53681 411be0 53680->53681 53683 401fbd 28 API calls 53681->53683 53682->53649 53684 411be8 53683->53684 53685 401d64 28 API calls 53684->53685 53686 411bf8 53685->53686 53687 401fbd 28 API calls 53686->53687 53688 411c00 53687->53688 53689 401d64 28 API calls 53688->53689 53690 411c10 53689->53690 53691 401fbd 28 API calls 53690->53691 53692 411c18 53691->53692 53693 401d64 28 API calls 53692->53693 53694 411c28 53693->53694 53695 401fbd 28 API calls 53694->53695 53696 411c30 53695->53696 53697 401d64 28 API calls 53696->53697 53698 411c43 53697->53698 53699 401fbd 28 API calls 53698->53699 53700 411c4b 53699->53700 53704 411c81 GetModuleFileNameW 53700->53704 53703 4047eb 98 API calls 53703->53670 53716 411cac 53704->53716 53705 40c854 32 API calls 53705->53716 53706 401eea 11 API calls 53706->53716 53707 41ab38 42 API calls 53707->53716 53708 4028cf 28 API calls 53708->53716 53709 4176b6 31 API calls 53709->53716 53710 411dea Sleep 53710->53716 53711 403b40 28 API calls 53711->53716 53712 403cbb 28 API calls 53712->53716 53713 401e13 11 API calls 53713->53716 53714 411e8c Sleep 53714->53716 53715 403cdc 28 API calls 53715->53716 53716->53705 53716->53706 53716->53707 53716->53708 53716->53709 53716->53710 53716->53711 53716->53712 53716->53713 53716->53714 53716->53715 53717 411f2e Sleep 53716->53717 53718 41b61a 32 API calls 53716->53718 53719 411f90 DeleteFileW 53716->53719 53720 411fc7 DeleteFileW 53716->53720 53721 412019 Sleep 53716->53721 53722 412003 DeleteFileW 53716->53722 53723 412092 53716->53723 53730 41205e Sleep 53716->53730 53717->53716 53718->53716 53719->53716 53720->53716 53721->53716 53722->53716 53724 401e13 11 API calls 53723->53724 53725 41209e 53724->53725 53726 401e13 11 API calls 53725->53726 53727 4120aa 53726->53727 53728 401e13 11 API calls 53727->53728 53729 4120b6 53728->53729 53731 40b027 28 API calls 53729->53731 53732 401e13 11 API calls 53730->53732 53733 4120c9 53731->53733 53737 41206e 53732->53737 53735 401fbd 28 API calls 53733->53735 53734 401e13 11 API calls 53734->53737 53736 4120e9 53735->53736 53846 4123f7 53736->53846 53737->53716 53737->53734 53739 412090 53737->53739 53739->53729 53741 401e13 11 API calls 53742 412100 53741->53742 53743 412125 53742->53743 53744 412274 53742->53744 53858 41aec8 53743->53858 53745 41aec8 28 API calls 53744->53745 53747 41227d 53745->53747 53749 4027ec 28 API calls 53747->53749 53751 4122b2 53749->53751 53750 41ad46 28 API calls 53752 412146 53750->53752 53753 4027cb 28 API calls 53751->53753 53754 4027ec 28 API calls 53752->53754 53755 4122c1 53753->53755 53756 412176 53754->53756 53758 4027cb 28 API calls 53755->53758 53757 4027cb 28 API calls 53756->53757 53760 412185 53757->53760 53759 4122cd 53758->53759 53761 4027cb 28 API calls 53759->53761 53762 4027cb 28 API calls 53760->53762 53763 4122dc 53761->53763 53764 412194 53762->53764 53765 4027cb 28 API calls 53763->53765 53766 4027cb 28 API calls 53764->53766 53767 4122eb 53765->53767 53768 4121a3 53766->53768 53769 4027cb 28 API calls 53767->53769 53770 4027cb 28 API calls 53768->53770 53771 4122fa 53769->53771 53772 4121b2 53770->53772 53773 4027cb 28 API calls 53771->53773 53774 4027cb 28 API calls 53772->53774 53775 412309 53773->53775 53776 4121be 53774->53776 53777 40275c 28 API calls 53775->53777 53778 4027cb 28 API calls 53776->53778 53779 412313 53777->53779 53780 4121ca 53778->53780 53781 404468 61 API calls 53779->53781 53862 40275c 53780->53862 53783 412320 53781->53783 53785 401eea 11 API calls 53783->53785 53784 4121d9 53786 4027cb 28 API calls 53784->53786 53787 41232c 53785->53787 53788 4121e5 53786->53788 53790 401eea 11 API calls 53787->53790 53789 40275c 28 API calls 53788->53789 53792 4121ef 53789->53792 53791 412338 53790->53791 53793 401eea 11 API calls 53791->53793 53794 404468 61 API calls 53792->53794 53795 412344 53793->53795 53796 4121fc 53794->53796 53797 401eea 11 API calls 53795->53797 53798 401eea 11 API calls 53796->53798 53799 412350 53797->53799 53800 412205 53798->53800 53801 401eea 11 API calls 53799->53801 53802 401eea 11 API calls 53800->53802 53803 412359 53801->53803 53804 41220e 53802->53804 53805 401eea 11 API calls 53803->53805 53806 401eea 11 API calls 53804->53806 53807 412362 53805->53807 53808 412217 53806->53808 53809 401eea 11 API calls 53807->53809 53810 401eea 11 API calls 53808->53810 53811 412268 53809->53811 53812 412220 53810->53812 53814 401eea 11 API calls 53811->53814 53813 401eea 11 API calls 53812->53813 53815 41222c 53813->53815 53816 412374 53814->53816 53817 401eea 11 API calls 53815->53817 53818 401e13 11 API calls 53816->53818 53819 412238 53817->53819 53821 412380 53818->53821 53820 401eea 11 API calls 53819->53820 53823 412244 53820->53823 53822 401eea 11 API calls 53821->53822 53824 41238c 53822->53824 53825 401eea 11 API calls 53823->53825 53826 401eea 11 API calls 53824->53826 53827 412250 53825->53827 53828 412398 53826->53828 53829 401eea 11 API calls 53827->53829 53830 401eea 11 API calls 53828->53830 53831 41225c 53829->53831 53832 4123a4 53830->53832 53833 401eea 11 API calls 53831->53833 53834 401eea 11 API calls 53832->53834 53833->53811 53835 4123b0 53834->53835 53836 401eea 11 API calls 53835->53836 53837 4123bc 53836->53837 53838 401eea 11 API calls 53837->53838 53839 4123c8 53838->53839 53840 401eea 11 API calls 53839->53840 53841 4123d4 53840->53841 53842 401eea 11 API calls 53841->53842 53843 4123e0 53842->53843 53844 401eea 11 API calls 53843->53844 53845 411c50 53844->53845 53845->53703 53847 412435 53846->53847 53849 412406 53846->53849 53848 412444 53847->53848 53872 10001c5b 53847->53872 53850 403b40 28 API calls 53848->53850 53869 410b0d 53849->53869 53851 412450 53850->53851 53853 401eea 11 API calls 53851->53853 53855 4120f4 53853->53855 53855->53741 53859 41aed5 53858->53859 53860 401f86 28 API calls 53859->53860 53861 412131 53860->53861 53861->53750 53866 40276b 53862->53866 53863 4027ad 53864 401e9b 28 API calls 53863->53864 53865 4027ab 53864->53865 53865->53784 53866->53863 53867 4027a2 53866->53867 53963 402ee5 28 API calls 53867->53963 53877 410b19 53869->53877 53873 10001c6b ___scrt_fastfail 53872->53873 53924 100012ee 53873->53924 53875 10001c87 53875->53848 53876 410d8d 22 API calls ___crtLCMapStringA 53876->53847 53908 4105b9 53877->53908 53879 410b38 53881 4105b9 SetLastError 53879->53881 53894 410c1f SetLastError 53879->53894 53905 410b15 53879->53905 53883 410b5f 53881->53883 53882 410bbf GetNativeSystemInfo 53884 410bd6 53882->53884 53883->53882 53883->53883 53883->53894 53883->53905 53884->53894 53911 410abe VirtualAlloc 53884->53911 53886 410bfe 53887 410c26 GetProcessHeap HeapAlloc 53886->53887 53921 410abe VirtualAlloc 53886->53921 53889 410c3d 53887->53889 53890 410c4f 53887->53890 53922 410ad5 VirtualFree 53889->53922 53893 4105b9 SetLastError 53890->53893 53891 410c16 53891->53887 53891->53894 53895 410c98 53893->53895 53894->53905 53896 410d45 53895->53896 53912 410abe VirtualAlloc 53895->53912 53923 410eb0 GetProcessHeap HeapFree 53896->53923 53899 410cb1 ctype 53913 4105cc SetLastError ctype ___scrt_fastfail 53899->53913 53901 410cdd 53901->53896 53914 410975 24 API calls 53901->53914 53903 410d04 53903->53896 53915 410769 53903->53915 53905->53876 53906 410d0f 53906->53896 53906->53905 53907 410d3a SetLastError 53906->53907 53907->53896 53909 4105c8 53908->53909 53910 4105bd SetLastError 53908->53910 53909->53879 53910->53879 53911->53886 53912->53899 53913->53901 53914->53903 53919 410790 53915->53919 53916 41087f 53917 4106d3 VirtualProtect 53916->53917 53918 410891 53917->53918 53918->53906 53919->53916 53919->53918 53920 4106d3 VirtualProtect 53919->53920 53920->53919 53921->53891 53922->53894 53923->53905 53925 10001324 ___scrt_fastfail 53924->53925 53926 100013b7 GetEnvironmentVariableW 53925->53926 53950 100010f1 53926->53950 53929 100010f1 57 API calls 53930 10001465 53929->53930 53931 100010f1 57 API calls 53930->53931 53932 10001479 53931->53932 53933 100010f1 57 API calls 53932->53933 53934 1000148d 53933->53934 53935 100010f1 57 API calls 53934->53935 53936 100014a1 53935->53936 53937 100010f1 57 API calls 53936->53937 53938 100014b5 lstrlenW 53937->53938 53939 100014d2 53938->53939 53940 100014d9 lstrlenW 53938->53940 53939->53875 53941 100010f1 57 API calls 53940->53941 53942 10001501 lstrlenW lstrcatW 53941->53942 53943 100010f1 57 API calls 53942->53943 53944 10001539 lstrlenW lstrcatW 53943->53944 53945 100010f1 57 API calls 53944->53945 53946 1000156b lstrlenW lstrcatW 53945->53946 53947 100010f1 57 API calls 53946->53947 53948 1000159d lstrlenW lstrcatW 53947->53948 53949 100010f1 57 API calls 53948->53949 53949->53939 53951 10001118 ___scrt_fastfail 53950->53951 53952 10001129 lstrlenW 53951->53952 53953 10002c40 ___scrt_fastfail 53952->53953 53954 10001148 lstrcatW lstrlenW 53953->53954 53955 10001177 lstrlenW FindFirstFileW 53954->53955 53956 10001168 lstrlenW 53954->53956 53957 100011a0 53955->53957 53958 100011e1 53955->53958 53956->53955 53959 100011c7 FindNextFileW 53957->53959 53960 100011aa 53957->53960 53958->53929 53959->53957 53962 100011da FindClose 53959->53962 53960->53959 53961 10001000 49 API calls 53960->53961 53961->53960 53962->53958 53963->53865 53965 401fbd 28 API calls 53964->53965 53966 414bbd SetEvent 53965->53966 53967 414bd2 53966->53967 53968 403b60 28 API calls 53967->53968 53969 414bec 53968->53969 53970 401fbd 28 API calls 53969->53970 53971 414bfc 53970->53971 53972 401fbd 28 API calls 53971->53972 53973 414c0e 53972->53973 53974 41afc3 28 API calls 53973->53974 53975 414c17 53974->53975 53976 414d8a 53975->53976 53977 414c37 GetTickCount 53975->53977 54038 414d99 53975->54038 53978 401d8c 11 API calls 53976->53978 53979 41ad46 28 API calls 53977->53979 53980 4161fb 53978->53980 53982 414c4d 53979->53982 53983 401eea 11 API calls 53980->53983 53981 414dad 54045 404ab1 83 API calls 53981->54045 54043 41aca0 GetLastInputInfo GetTickCount 53982->54043 53986 416207 53983->53986 53989 401eea 11 API calls 53986->53989 53987 414d7d 53987->53976 53988 414c54 53990 41ad46 28 API calls 53988->53990 53991 416213 53989->53991 53992 414c5f 53990->53992 53993 41ac52 30 API calls 53992->53993 53994 414c6d 53993->53994 53995 41aec8 28 API calls 53994->53995 53996 414c7b 53995->53996 53997 401d64 28 API calls 53996->53997 53998 414c89 53997->53998 53999 4027ec 28 API calls 53998->53999 54000 414c97 53999->54000 54001 40275c 28 API calls 54000->54001 54002 414ca6 54001->54002 54003 4027cb 28 API calls 54002->54003 54004 414cb5 54003->54004 54005 40275c 28 API calls 54004->54005 54006 414cc4 54005->54006 54007 4027cb 28 API calls 54006->54007 54008 414cd0 54007->54008 54009 40275c 28 API calls 54008->54009 54010 414cda 54009->54010 54011 404468 61 API calls 54010->54011 54012 414ce9 54011->54012 54013 401eea 11 API calls 54012->54013 54014 414cf2 54013->54014 54015 401eea 11 API calls 54014->54015 54016 414cfe 54015->54016 54017 401eea 11 API calls 54016->54017 54018 414d0a 54017->54018 54019 401eea 11 API calls 54018->54019 54020 414d16 54019->54020 54021 401eea 11 API calls 54020->54021 54022 414d22 54021->54022 54023 401eea 11 API calls 54022->54023 54024 414d2e 54023->54024 54025 401e13 11 API calls 54024->54025 54026 414d3a 54025->54026 54027 401eea 11 API calls 54026->54027 54028 414d43 54027->54028 54029 401eea 11 API calls 54028->54029 54030 414d4c 54029->54030 54031 401d64 28 API calls 54030->54031 54032 414d57 54031->54032 54033 43a5e7 _strftime 39 API calls 54032->54033 54034 414d64 54033->54034 54035 414d69 54034->54035 54036 414d8f 54034->54036 54039 414d82 54035->54039 54040 414d77 54035->54040 54037 401d64 28 API calls 54036->54037 54037->54038 54038->53976 54038->53981 54042 404915 104 API calls 54039->54042 54044 4049ba 81 API calls 54040->54044 54042->53976 54043->53988 54044->53987 54045->53987 54046->53566 54049 40cc3f 54048->54049 54050 403b9e 28 API calls 54049->54050 54051 40ca3a 54050->54051 54052 402860 54051->54052 54054 40286f 54052->54054 54053 4028b1 54061 402daf 54053->54061 54054->54053 54056 4028a6 54054->54056 54060 402d68 28 API calls 54056->54060 54058 4028af 54058->53126 54059->53106 54060->54058 54062 402dbb 54061->54062 54063 4030f7 28 API calls 54062->54063 54064 402dcd 54063->54064 54064->54058 54067 40e56a 54065->54067 54066 4124b7 3 API calls 54066->54067 54067->54066 54068 40e60e 54067->54068 54070 40e5fe Sleep 54067->54070 54075 40e59c 54067->54075 54071 4082dc 28 API calls 54068->54071 54069 4082dc 28 API calls 54069->54075 54070->54067 54072 40e619 54071->54072 54076 41ae08 28 API calls 54072->54076 54074 41ae08 28 API calls 54074->54075 54075->54069 54075->54070 54075->54074 54080 401e13 11 API calls 54075->54080 54083 401f66 28 API calls 54075->54083 54087 4126d2 14 API calls 54075->54087 54098 40bf04 73 API calls ___scrt_fastfail 54075->54098 54099 412774 14 API calls 54075->54099 54077 40e625 54076->54077 54100 412774 14 API calls 54077->54100 54080->54075 54081 40e638 54082 401e13 11 API calls 54081->54082 54084 40e644 54082->54084 54083->54075 54085 401f66 28 API calls 54084->54085 54086 40e655 54085->54086 54088 4126d2 14 API calls 54086->54088 54087->54075 54089 40e668 54088->54089 54101 411699 TerminateProcess WaitForSingleObject 54089->54101 54091 40e670 ExitProcess 54102 411637 62 API calls 54095->54102 54099->54075 54100->54081 54101->54091 54103 41569e 54104 401d64 28 API calls 54103->54104 54105 4156b3 54104->54105 54106 401fbd 28 API calls 54105->54106 54107 4156bb 54106->54107 54108 401d64 28 API calls 54107->54108 54109 4156cb 54108->54109 54110 401fbd 28 API calls 54109->54110 54111 4156d3 54110->54111 54114 411aed 54111->54114 54115 4041f1 3 API calls 54114->54115 54116 411b01 54115->54116 54117 40428c 97 API calls 54116->54117 54118 411b09 54117->54118 54119 4027ec 28 API calls 54118->54119 54120 411b22 54119->54120 54121 4027cb 28 API calls 54120->54121 54122 411b2c 54121->54122 54123 404468 61 API calls 54122->54123 54124 411b36 54123->54124 54125 401eea 11 API calls 54124->54125 54126 411b3e 54125->54126 54127 4045d5 261 API calls 54126->54127 54128 411b4c 54127->54128 54129 401eea 11 API calls 54128->54129 54130 411b54 54129->54130 54131 401eea 11 API calls 54130->54131 54132 411b5c 54131->54132

                                                                                          Executed Functions

                                                                                          Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleLibraryLoadModule
                                                                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                          • API String ID: 384173800-625181639
                                                                                          • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                          • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                          • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                          • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                                                          Function 0040D767 Relevance: 97.0, APIs: 13, Strings: 42, Instructions: 799COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 80 40d9a5-40d9ac call 40bed7 69->80 81 40d96d-40d98c call 401e8f call 4124b7 69->81 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 90 40d9b5-40d9bc 80->90 91 40d9ae-40d9b0 80->91 81->80 98 40d98e-40d9a4 call 401e8f call 412902 81->98 95 40d9c0-40d9cc call 41a463 90->95 96 40d9be 90->96 94 40dc95 91->94 94->49 103 40d9d5-40d9d9 95->103 104 40d9ce-40d9d0 95->104 96->95 98->80 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 117 40d9e0-40d9e2 108->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->107 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 191 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->191 222 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->222 170 40dbb1-40dbbb call 4082d7 167->170 171 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->171 178 40dbc0-40dbe4 call 4022f8 call 4338c8 170->178 171->178 198 40dbf3 178->198 199 40dbe6-40dbf1 call 436050 178->199 191->163 201 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 198->201 199->201 259 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 201->259 273 40dd79-40dd7b 222->273 274 40dd5e 222->274 259->222 272 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 259->272 272->222 292 40dc93 272->292 276 40dd81 273->276 277 40dd7d-40dd7f 273->277 275 40dd60-40dd77 call 41beb0 CreateThread 274->275 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->94 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 343 40def9-40df0c call 401d64 call 401e8f 333->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 333->344 354 40df6c-40df7f call 401d64 call 401e8f 343->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->355 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 354->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->102 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                                                          APIs
                                                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe,00000104), ref: 0040D790
                                                                                            • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                          • String ID: 0DG$@CG$@CG$@N$Access Level: $Administrator$C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-QJ4441$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                          • API String ID: 2830904901-1725734398
                                                                                          • Opcode ID: a4062e41adf6686acffc36f4840597c47d937f7272c63bb278fadcad830c86a1
                                                                                          • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                                          • Opcode Fuzzy Hash: a4062e41adf6686acffc36f4840597c47d937f7272c63bb278fadcad830c86a1
                                                                                          • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                                                          Function 00417245 Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 290nativelibraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 447 417245-417262 448 417266-4172d9 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 447->448 449 4175cd 448->449 450 4172df-4172e6 448->450 451 4175cf-4175d9 449->451 450->449 452 4172ec-4172f3 450->452 452->449 453 4172f9-4172fb 452->453 453->449 454 417301-41732d call 436050 * 2 453->454 454->449 459 417333-41733e 454->459 459->449 460 417344-417374 CreateProcessW 459->460 461 4175c7 GetLastError 460->461 462 41737a-4173a2 VirtualAlloc Wow64GetThreadContext 460->462 461->449 463 417593-4175c5 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->463 464 4173a8-4173c8 ReadProcessMemory 462->464 463->449 464->463 465 4173ce-4173ee NtCreateSection 464->465 465->463 466 4173f4-417401 465->466 467 417403-41740e NtUnmapViewOfSection 466->467 468 417414-417436 NtMapViewOfSection 466->468 467->468 469 417477-41749e GetCurrentProcess NtMapViewOfSection 468->469 470 417438-417466 VirtualFree NtClose TerminateProcess 468->470 472 417591 469->472 473 4174a4-4174a6 469->473 470->449 471 41746c-417472 470->471 471->448 472->463 474 4174a8-4174ac 473->474 475 4174af-4174d6 call 435ad0 473->475 474->475 478 417516-417520 475->478 479 4174d8-4174e2 475->479 481 417522-417528 478->481 482 41753e-417542 478->482 480 4174e6-417509 call 435ad0 479->480 492 41750b-417512 480->492 481->482 484 41752a-41753b call 417651 481->484 485 417544-417560 WriteProcessMemory 482->485 486 417566-41757d Wow64SetThreadContext 482->486 484->482 485->463 489 417562 485->489 486->463 490 41757f-41758b ResumeThread 486->490 489->486 490->463 491 41758d-41758f 490->491 491->451 492->478
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                          • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004173E6
                                                                                          • NtUnmapViewOfSection.NTDLL(?,?), ref: 0041740E
                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041742E
                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                          • NtClose.NTDLL(?), ref: 0041744A
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                          • NtMapViewOfSection.NTDLL(?,00000000), ref: 00417496
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                          • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                          • NtUnmapViewOfSection.NTDLL(00000000), ref: 004175AC
                                                                                          • NtClose.NTDLL(?), ref: 004175B6
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                          • GetLastError.KERNEL32 ref: 004175C7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                          • API String ID: 3150337530-3035715614
                                                                                          • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                          • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                          • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                          • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                                          Function 0040E54F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 88sleepCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                            • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,@N), ref: 004124F5
                                                                                            • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                          • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                          • ExitProcess.KERNEL32 ref: 0040E672
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                          • String ID: 5.3.0 Pro$@N$override$pth_unenc$BG
                                                                                          • API String ID: 2281282204-3152496120
                                                                                          • Opcode ID: 2461c045ef1dac3841d48b1deb4288f8669071a9a0de27c7ec177a3bdcb1d130
                                                                                          • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                          • Opcode Fuzzy Hash: 2461c045ef1dac3841d48b1deb4288f8669071a9a0de27c7ec177a3bdcb1d130
                                                                                          • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                                          Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1507 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1514 10001177-1000119e lstrlenW FindFirstFileW 1507->1514 1515 10001168-10001172 lstrlenW 1507->1515 1516 100011a0-100011a8 1514->1516 1517 100011e1-100011e9 1514->1517 1515->1514 1518 100011c7-100011d8 FindNextFileW 1516->1518 1519 100011aa-100011c4 call 10001000 1516->1519 1518->1516 1521 100011da-100011db FindClose 1518->1521 1519->1518 1521->1517
                                                                                          APIs
                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                          • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                          • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                          • String ID:
                                                                                          • API String ID: 1083526818-0
                                                                                          • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                          • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                          • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                          • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                          Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                          • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                          • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                          • String ID:
                                                                                          • API String ID: 3525466593-0
                                                                                          • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                          • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                          • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                          • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                          Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                                                          • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                          Strings
                                                                                          • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Create$EventLocalThreadTime
                                                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                                                          • API String ID: 2532271599-1507639952
                                                                                          • Opcode ID: e19e58dcac3ce5d27b871b0be8e523833685dd75a28e9a7082eec7a4ce1bbe88
                                                                                          • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                          • Opcode Fuzzy Hash: e19e58dcac3ce5d27b871b0be8e523833685dd75a28e9a7082eec7a4ce1bbe88
                                                                                          • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                          Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                                          • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                                          • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                                                          • String ID:
                                                                                          • API String ID: 1815803762-0
                                                                                          • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                          • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                          • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                          • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                          Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                                          • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$ComputerUser
                                                                                          • String ID:
                                                                                          • API String ID: 4229901323-0
                                                                                          • Opcode ID: cde94d6ab6d559736168707b99f603480b027a4e5b0d27f6afb59f5a93c8ae6f
                                                                                          • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                          • Opcode Fuzzy Hash: cde94d6ab6d559736168707b99f603480b027a4e5b0d27f6afb59f5a93c8ae6f
                                                                                          • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                          Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID:
                                                                                          • API String ID: 2299586839-0
                                                                                          • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                                                          • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                          • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                                                          • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                          Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: recv
                                                                                          • String ID:
                                                                                          • API String ID: 1507349165-0
                                                                                          • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                          • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                          • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                          • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                                          Function 00413FD4 Relevance: 55.1, APIs: 5, Strings: 26, Instructions: 813sleepnetworkCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 494 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 507 414021-414028 Sleep 494->507 508 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 494->508 507->508 523 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 508->523 524 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 508->524 577 41419a-4141a1 523->577 578 41418c-414198 523->578 524->523 579 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 577->579 578->579 606 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 579->606 607 41428f-41429d call 4041f1 579->607 628 414b54-414b66 call 4047eb call 4020b4 606->628 612 4142ca-4142df call 404915 call 40428c 607->612 613 41429f-4142c5 call 401f66 * 2 call 41a686 607->613 627 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 612->627 612->628 613->628 694 414434-414441 call 40541d 627->694 695 414446-41446d call 401e8f call 412513 627->695 643 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 628->643 644 414b8e-414b96 call 401d8c 628->644 643->644 644->523 694->695 701 414474-414abb call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 695->701 702 41446f-414471 695->702 947 414ac0-414ac7 701->947 702->701 948 414ac9-414ad0 947->948 949 414adb-414ae2 947->949 948->949 950 414ad2-414ad4 948->950 951 414ae4-414ae9 call 40a767 949->951 952 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 949->952 950->949 951->952 963 414b22-414b2e CreateThread 952->963 964 414b34-414b4f call 401eea * 2 call 401e13 952->964 963->964 964->628
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000,00000029,@N,?,00000000), ref: 00414028
                                                                                          • WSAGetLastError.WS2_32 ref: 00414249
                                                                                          • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Sleep$ErrorLastLocalTime
                                                                                          • String ID: | $%I64u$5.3.0 Pro$@CG$@N$C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-QJ4441$TLS Off$TLS On $TUF$XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                                          • API String ID: 524882891-2156811480
                                                                                          • Opcode ID: 998008d8d66266aa536d242af2c0764c70518c386f3b9735257e53b3b4640b25
                                                                                          • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                                          • Opcode Fuzzy Hash: 998008d8d66266aa536d242af2c0764c70518c386f3b9735257e53b3b4640b25
                                                                                          • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                                                          Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 971 411c81-411cca GetModuleFileNameW call 401faa * 3 978 411ccc-411d56 call 41ab38 call 401e8f call 40c854 call 401eea call 41ab38 call 401e8f call 40c854 call 401eea call 41ab38 call 401e8f call 40c854 call 401eea 971->978 1003 411d58-411de8 call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 978->1003 1026 411df8 1003->1026 1027 411dea-411df2 Sleep 1003->1027 1028 411dfa-411e8a call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1026->1028 1027->1003 1027->1026 1051 411e9a 1028->1051 1052 411e8c-411e94 Sleep 1028->1052 1053 411e9c-411f2c call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1051->1053 1052->1028 1052->1051 1076 411f3c-411f60 1053->1076 1077 411f2e-411f36 Sleep 1053->1077 1078 411f64-411f80 call 401e07 call 41b61a 1076->1078 1077->1053 1077->1076 1083 411f82-411f91 call 401e07 DeleteFileW 1078->1083 1084 411f97-411fb3 call 401e07 call 41b61a 1078->1084 1083->1084 1091 411fd0 1084->1091 1092 411fb5-411fce call 401e07 DeleteFileW 1084->1092 1094 411fd4-411ff0 call 401e07 call 41b61a 1091->1094 1092->1094 1100 411ff2-412004 call 401e07 DeleteFileW 1094->1100 1101 41200a-41200c 1094->1101 1100->1101 1102 412019-412024 Sleep 1101->1102 1103 41200e-412010 1101->1103 1102->1078 1107 41202a-41203c call 408339 1102->1107 1103->1102 1106 412012-412017 1103->1106 1106->1102 1106->1107 1110 412092-4120b1 call 401e13 * 3 1107->1110 1111 41203e-41204c call 408339 1107->1111 1122 4120b6-41211f call 40b027 call 401e07 call 401fbd call 4123f7 call 401e13 call 405422 1110->1122 1111->1110 1117 41204e-41205c call 408339 1111->1117 1117->1110 1123 41205e-41208a Sleep call 401e13 * 3 1117->1123 1143 412125-41226f call 41aec8 call 41ad46 call 4027ec call 4027cb * 6 call 40275c call 4027cb call 40275c call 404468 call 401eea * 10 1122->1143 1144 412274-41236b call 41aec8 call 4027ec call 4027cb * 6 call 40275c call 404468 call 401eea * 7 1122->1144 1123->978 1137 412090 1123->1137 1137->1122 1213 41236f-4123cf call 401eea call 401e13 call 401eea * 7 1143->1213 1144->1213 1243 4123d4-4123f6 call 401eea * 2 1213->1243
                                                                                          APIs
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                            • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,@N), ref: 0041AB5F
                                                                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                          • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                          • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                          • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                          • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                          • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                          • String ID: /stext "$HDG$HDG$>G$>G
                                                                                          • API String ID: 1223786279-3931108886
                                                                                          • Opcode ID: 75a1c88232e94dd8f7e475bd391443dd321e9ecfe34a2257c0ca13422a014761
                                                                                          • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                          • Opcode Fuzzy Hash: 75a1c88232e94dd8f7e475bd391443dd321e9ecfe34a2257c0ca13422a014761
                                                                                          • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                                          Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                            • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                            • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                            • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                            • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                          • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                          • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                          • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                          • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                          • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                          • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                          • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                          • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                          • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                          • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                          • String ID: )$Foxmail$ProgramFiles
                                                                                          • API String ID: 672098462-2938083778
                                                                                          • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                          • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                          • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                          • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                          Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1286 40428c-4042ad connect 1287 4043e1-4043e5 1286->1287 1288 4042b3-4042b6 1286->1288 1291 4043e7-4043f5 WSAGetLastError 1287->1291 1292 40445f 1287->1292 1289 4043da-4043dc 1288->1289 1290 4042bc-4042bf 1288->1290 1293 404461-404465 1289->1293 1294 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1290->1294 1295 4042eb-4042f5 call 420151 1290->1295 1291->1292 1296 4043f7-4043fa 1291->1296 1292->1293 1294->1295 1306 404306-404313 call 420373 1295->1306 1307 4042f7-404301 1295->1307 1299 404439-40443e 1296->1299 1300 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1296->1300 1302 404443-40445c call 401f66 * 2 call 41a686 1299->1302 1300->1292 1302->1292 1320 404315-404338 call 401f66 * 2 call 41a686 1306->1320 1321 40434c-404357 call 420f34 1306->1321 1307->1302 1347 40433b-404347 call 420191 1320->1347 1332 404389-404396 call 4202ea 1321->1332 1333 404359-404387 call 401f66 * 2 call 41a686 call 420592 1321->1333 1343 404398-4043bb call 401f66 * 2 call 41a686 1332->1343 1344 4043be-4043d7 CreateEventW * 2 1332->1344 1333->1347 1343->1344 1344->1289 1347->1292
                                                                                          APIs
                                                                                          • connect.WS2_32(?,0050C168,00000010), ref: 004042A5
                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                          • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                          • API String ID: 994465650-2151626615
                                                                                          • Opcode ID: 2d798a5fa1db7d59694009db928515f61fa98dc21aae2058d3a2b15e05fc5637
                                                                                          • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                          • Opcode Fuzzy Hash: 2d798a5fa1db7d59694009db928515f61fa98dc21aae2058d3a2b15e05fc5637
                                                                                          • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                                                          Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                          • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                          • String ID:
                                                                                          • API String ID: 3658366068-0
                                                                                          • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                          • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                          • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                          • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                                                          Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1378 40c89e-40c8c3 call 401e52 1381 40c8c9 1378->1381 1382 40c9ed-40ca85 call 401e07 GetLongPathNameW call 403b40 * 2 call 40cc37 call 402860 * 2 call 401e13 * 5 1378->1382 1383 40c8d0-40c8d5 1381->1383 1384 40c9c2-40c9c7 1381->1384 1385 40c905-40c90a 1381->1385 1386 40c9d8 1381->1386 1387 40c9c9-40c9ce call 43ac0f 1381->1387 1388 40c8da-40c8e8 call 41a74b call 401e18 1381->1388 1389 40c8fb-40c900 1381->1389 1390 40c9bb-40c9c0 1381->1390 1391 40c90f-40c916 call 41b15b 1381->1391 1393 40c9dd-40c9e2 call 43ac0f 1383->1393 1384->1393 1385->1393 1386->1393 1398 40c9d3-40c9d6 1387->1398 1409 40c8ed 1388->1409 1389->1393 1390->1393 1407 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1391->1407 1408 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1391->1408 1403 40c9e3-40c9e8 call 4082d7 1393->1403 1398->1386 1398->1403 1403->1382 1415 40c8f1-40c8f6 call 401e13 1407->1415 1408->1409 1409->1415 1415->1382
                                                                                          APIs
                                                                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LongNamePath
                                                                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                          • API String ID: 82841172-425784914
                                                                                          • Opcode ID: 3954268d7dffdf0489eff235fb9ef20efbe8d8525197cc8e6b2bb3884c319527
                                                                                          • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                          • Opcode Fuzzy Hash: 3954268d7dffdf0489eff235fb9ef20efbe8d8525197cc8e6b2bb3884c319527
                                                                                          • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                                                          Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1523 41a51b-41a55a call 401faa call 43a88c InternetOpenW InternetOpenUrlW 1528 41a55c-41a57d InternetReadFile 1523->1528 1529 41a5a3-41a5a6 1528->1529 1530 41a57f-41a59f call 401f86 call 402f08 call 401eea 1528->1530 1532 41a5a8-41a5aa 1529->1532 1533 41a5ac-41a5b9 InternetCloseHandle * 2 call 43a887 1529->1533 1530->1529 1532->1528 1532->1533 1537 41a5be-41a5c8 1533->1537
                                                                                          APIs
                                                                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                          Strings
                                                                                          • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Internet$CloseHandleOpen$FileRead
                                                                                          • String ID: http://geoplugin.net/json.gp
                                                                                          • API String ID: 3121278467-91888290
                                                                                          • Opcode ID: 73696255e9202b198c78c3ab478e8b01571d3d764b4ec7d5d8b5efc8061108e0
                                                                                          • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                          • Opcode Fuzzy Hash: 73696255e9202b198c78c3ab478e8b01571d3d764b4ec7d5d8b5efc8061108e0
                                                                                          • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                                          Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                            • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                            • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                            • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                            • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                          • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                          • API String ID: 782494840-2070987746
                                                                                          • Opcode ID: 19248c9732af6e9ef00e2f0e516aa112708340eb9e7ab1e58b257d5fb57f3ab9
                                                                                          • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                          • Opcode Fuzzy Hash: 19248c9732af6e9ef00e2f0e516aa112708340eb9e7ab1e58b257d5fb57f3ab9
                                                                                          • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                                                          Function 004126D2 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37registryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1565 4126d2-4126e9 RegCreateKeyA 1566 412722 1565->1566 1567 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1565->1567 1569 412724-412730 call 401eea 1566->1569 1567->1569
                                                                                          APIs
                                                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                          • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,@N,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                          • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateValue
                                                                                          • String ID: @N$HgF$pth_unenc
                                                                                          • API String ID: 1818849710-4025041174
                                                                                          • Opcode ID: a8a1558e301af92e4391434ed0694e92c04ce86e799f8faadff9b348f5dda564
                                                                                          • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                          • Opcode Fuzzy Hash: a8a1558e301af92e4391434ed0694e92c04ce86e799f8faadff9b348f5dda564
                                                                                          • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                          Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1575 1000c7e6-1000c7ed GetModuleHandleA 1576 1000c82d 1575->1576 1577 1000c7ef-1000c7fe call 1000c803 1575->1577 1578 1000c82f-1000c833 1576->1578 1586 1000c800-1000c80b GetProcAddress 1577->1586 1587 1000c865 1577->1587 1580 1000c872 call 1000c877 1578->1580 1581 1000c835-1000c83d GetModuleHandleA 1578->1581 1585 1000c83f-1000c847 1581->1585 1585->1585 1588 1000c849-1000c84c 1585->1588 1586->1576 1590 1000c80d-1000c81a VirtualProtect 1586->1590 1589 1000c866-1000c86e 1587->1589 1588->1578 1591 1000c84e-1000c850 1588->1591 1599 1000c870 1589->1599 1595 1000c82c 1590->1595 1596 1000c81c-1000c82a VirtualProtect 1590->1596 1592 1000c852-1000c854 1591->1592 1593 1000c856-1000c85e 1591->1593 1597 1000c85f-1000c860 GetProcAddress 1592->1597 1593->1597 1595->1576 1596->1595 1597->1587 1599->1588
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                            • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 2099061454-0
                                                                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                          • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                          • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                          Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                            • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                            • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 2099061454-0
                                                                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                          • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                          • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                          Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                          • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                          • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProcProtectVirtual$HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 2152742572-0
                                                                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                          • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                          • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                          Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          • WaitForSingleObject.KERNEL32(000002EC,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                          • SetEvent.KERNEL32(000002EC,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: EventObjectSingleWaitsend
                                                                                          • String ID: LAL
                                                                                          • API String ID: 3963590051-3302426157
                                                                                          • Opcode ID: 797cf9f69927d8c8d5f5ebf388408a12a36e02342b08a7f5b9e29609ca137d04
                                                                                          • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                                                                          • Opcode Fuzzy Hash: 797cf9f69927d8c8d5f5ebf388408a12a36e02342b08a7f5b9e29609ca137d04
                                                                                          • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                                                                          Function 0041265D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,@N), ref: 00412679
                                                                                          • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                          • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID: @N
                                                                                          • API String ID: 3677997916-515963765
                                                                                          • Opcode ID: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                                                                          • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                                                          • Opcode Fuzzy Hash: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                                                                          • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                                                          Function 004124B7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,@N), ref: 004124F5
                                                                                          • RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID: @N
                                                                                          • API String ID: 3677997916-515963765
                                                                                          • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                          • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                          • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                          • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                          Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                          • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                          • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateValue
                                                                                          • String ID: TUF
                                                                                          • API String ID: 1818849710-3431404234
                                                                                          • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                          • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                          • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                          • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                          Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                          • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                          • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                          • String ID:
                                                                                          • API String ID: 3360349984-0
                                                                                          • Opcode ID: f49accacbea047204dfc159e8d9f5a52a3152a38306e4b52ab6f1ec190d343e3
                                                                                          • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                          • Opcode Fuzzy Hash: f49accacbea047204dfc159e8d9f5a52a3152a38306e4b52ab6f1ec190d343e3
                                                                                          • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                          Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandleReadSize
                                                                                          • String ID:
                                                                                          • API String ID: 3919263394-0
                                                                                          • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                          • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                          • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                          • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                          Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountEventTick
                                                                                          • String ID: >G
                                                                                          • API String ID: 180926312-1296849874
                                                                                          • Opcode ID: c435f9ec249b0fb0016b2def8369ff285af2482d552107c0ad83acc50e928c54
                                                                                          • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                          • Opcode Fuzzy Hash: c435f9ec249b0fb0016b2def8369ff285af2482d552107c0ad83acc50e928c54
                                                                                          • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                          Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                          • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateErrorLastMutex
                                                                                          • String ID: Rmc-QJ4441
                                                                                          • API String ID: 1925916568-1611132217
                                                                                          • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                          • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                          • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                          • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                          Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                          • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID:
                                                                                          • API String ID: 3677997916-0
                                                                                          • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                                                          • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                          • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                                                          • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                          Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                          • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID:
                                                                                          • API String ID: 3677997916-0
                                                                                          • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                          • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                          • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                          • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                          Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _wcslen
                                                                                          • String ID: xAG
                                                                                          • API String ID: 176396367-2759412365
                                                                                          • Opcode ID: 3cd24ee7cf2bbd971f19c3cfa9fc21255a7d7322a241340b9fd7b504d1626de8
                                                                                          • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                                          • Opcode Fuzzy Hash: 3cd24ee7cf2bbd971f19c3cfa9fc21255a7d7322a241340b9fd7b504d1626de8
                                                                                          • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                                          Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: GlobalMemoryStatus
                                                                                          • String ID: @
                                                                                          • API String ID: 1890195054-2766056989
                                                                                          • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                          • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                                                          • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                          • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                                                          Function 0044B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 0044B9DF
                                                                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                          • RtlReAllocateHeap.NTDLL(00000000,?,00000000,?,0000000F,?,00431FD7,00000000,0000000F,0042EA3D,?,?,00430AA6,?,00000000), ref: 0044BA1B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap$_free
                                                                                          • String ID:
                                                                                          • API String ID: 1482568997-0
                                                                                          • Opcode ID: 6d1be577c9a35bc0b28deeed51393a067267046c1d6c489358c9943441165e26
                                                                                          • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                                                          • Opcode Fuzzy Hash: 6d1be577c9a35bc0b28deeed51393a067267046c1d6c489358c9943441165e26
                                                                                          • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                                                          Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                            • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventStartupsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1953588214-0
                                                                                          • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                          • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                          • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                          • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                          Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                                                            • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,?,>C,00000000,00000000,?,?,?,?,?,?,00433E09,?,0046D5EC), ref: 00437C37
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                                                          • String ID:
                                                                                          • API String ID: 3476068407-0
                                                                                          • Opcode ID: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                                                                          • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                                                          • Opcode Fuzzy Hash: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                                                                          • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                                                          Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32 ref: 0041AC74
                                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Window$ForegroundText
                                                                                          • String ID:
                                                                                          • API String ID: 29597999-0
                                                                                          • Opcode ID: 8a79a7386f37e374dce250e4fcdef39063f35a229190475e51bbbfed219b13a7
                                                                                          • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                                                                          • Opcode Fuzzy Hash: 8a79a7386f37e374dce250e4fcdef39063f35a229190475e51bbbfed219b13a7
                                                                                          • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                                                                          Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                                                          • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                                                            • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                            • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                            • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                            • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                            • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                            • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                            • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                            • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                          • String ID:
                                                                                          • API String ID: 1170566393-0
                                                                                          • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                          • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                                                                          • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                          • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                                                                          Function 004106D3 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualProtect.KERNEL32(?,00410B02,?,00000000,?,00000000,00000000,00410891), ref: 0041075D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-0
                                                                                          • Opcode ID: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                          • Instruction ID: f15b865ef06e6e56f0e3155fe6c262580cd03049418ed3f125d30449dfe24c6e
                                                                                          • Opcode Fuzzy Hash: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                          • Instruction Fuzzy Hash: 0B11CE72700101AFD6149A18C880BA6B766FF80710F5942AEE115CB292DBB5FCD2CA94
                                                                                          Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 1279760036-0
                                                                                          • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                          • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                          • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                          • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                                                          Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Startup
                                                                                          • String ID:
                                                                                          • API String ID: 724789610-0
                                                                                          • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                          • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                          • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                          • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                          Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: send
                                                                                          • String ID:
                                                                                          • API String ID: 2809346765-0
                                                                                          • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                          • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                                          • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                          • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36
                                                                                          Function 0040262E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Deallocate
                                                                                          • String ID:
                                                                                          • API String ID: 1075933841-0
                                                                                          • Opcode ID: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                          • Instruction ID: a98dd8728e001a7547a03d6555be836c7c4d92c50a1b5b3c87ce8ff60de75990
                                                                                          • Opcode Fuzzy Hash: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                          • Instruction Fuzzy Hash: 69A0123300C2016AC9852E00DD05C0ABFA1EB90360F20C41FF086140F0CB32A0B0A705
                                                                                          Function 00410ABE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNEL32(?,?,?,?,00410BFE,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00410ACE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                          • Instruction ID: 38694f91ddd66904e98ee13f1febf2482794bae3131ffd3a876a6d6af10a8f86
                                                                                          • Opcode Fuzzy Hash: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                          • Instruction Fuzzy Hash: 29B00832418382EFCF02DF90DD0492ABAA2BB88712F084C6CB2A14017187228428EB16

                                                                                          Non-executed Functions

                                                                                          Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetEvent.KERNEL32(?), ref: 00406F28
                                                                                          • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                            • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,@N), ref: 0041B489
                                                                                            • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,@N), ref: 0041B4BB
                                                                                            • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,@N), ref: 0041B50C
                                                                                            • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,@N), ref: 0041B561
                                                                                            • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,@N), ref: 0041B568
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                            • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                            • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                            • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                            • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                            • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(000002EC,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                            • Part of subcall function 00404468: SetEvent.KERNEL32(000002EC,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                          • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                            • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                            • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                            • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                          • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                          • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                            • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                          • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                          • API String ID: 2918587301-184849705
                                                                                          • Opcode ID: 665482917b7fa97df5a417434c22e24f9703dd485625f7c31a2dab02543ca0df
                                                                                          • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                          • Opcode Fuzzy Hash: 665482917b7fa97df5a417434c22e24f9703dd485625f7c31a2dab02543ca0df
                                                                                          • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                          Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                            • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                            • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                          • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                          • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                            • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                            • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                          • Sleep.KERNEL32(0000012C,00000093), ref: 0040523F
                                                                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                            • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                          • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                          • CloseHandle.KERNEL32 ref: 004053CD
                                                                                          • CloseHandle.KERNEL32 ref: 004053D5
                                                                                          • CloseHandle.KERNEL32 ref: 004053E7
                                                                                          • CloseHandle.KERNEL32 ref: 004053EF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                          • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                          • API String ID: 3815868655-81343324
                                                                                          • Opcode ID: 34787d4621f10774a2f8a031e0b5b236cc3ffdbb4b026db84c9cc34a03f3ebd1
                                                                                          • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                          • Opcode Fuzzy Hash: 34787d4621f10774a2f8a031e0b5b236cc3ffdbb4b026db84c9cc34a03f3ebd1
                                                                                          • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                          Function 00410F36 Relevance: 37.0, APIs: 7, Strings: 14, Instructions: 238threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                            • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                            • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                          • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                            • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                            • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,@N), ref: 004124F5
                                                                                            • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                          • String ID: 0DG$@N$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                          • API String ID: 65172268-3980225984
                                                                                          • Opcode ID: 15c2cf8ba4fa16ac10da4dbf6ebc2712cfd682e19f578d395d2ad12c39b5f787
                                                                                          • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                          • Opcode Fuzzy Hash: 15c2cf8ba4fa16ac10da4dbf6ebc2712cfd682e19f578d395d2ad12c39b5f787
                                                                                          • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                          Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$CloseFile$FirstNext
                                                                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                          • API String ID: 1164774033-3681987949
                                                                                          • Opcode ID: 71db8a861b2fc74db715b2c88002bf75331a4205c2d0913388115495fb865951
                                                                                          • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                          • Opcode Fuzzy Hash: 71db8a861b2fc74db715b2c88002bf75331a4205c2d0913388115495fb865951
                                                                                          • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                          Function 0040E219 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 212processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                            • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                            • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                          • String ID: @N$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                          • API String ID: 726551946-716590589
                                                                                          • Opcode ID: 4e8d13688393c71aa9a791a17ea9833f86c50a3416487754e50a8c125bc327b9
                                                                                          • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                          • Opcode Fuzzy Hash: 4e8d13688393c71aa9a791a17ea9833f86c50a3416487754e50a8c125bc327b9
                                                                                          • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                          Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$Close$File$FirstNext
                                                                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                          • API String ID: 3527384056-432212279
                                                                                          • Opcode ID: 23d032247b80a360ab297e3edfec7162f8d5d06b5b50b9e2e722fe899f59b899
                                                                                          • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                          • Opcode Fuzzy Hash: 23d032247b80a360ab297e3edfec7162f8d5d06b5b50b9e2e722fe899f59b899
                                                                                          • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                          Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenClipboard.USER32 ref: 004159C7
                                                                                          • EmptyClipboard.USER32 ref: 004159D5
                                                                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                          • CloseClipboard.USER32 ref: 00415A5A
                                                                                          • OpenClipboard.USER32 ref: 00415A61
                                                                                          • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                          • CloseClipboard.USER32 ref: 00415A89
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                          • String ID:
                                                                                          • API String ID: 3520204547-0
                                                                                          • Opcode ID: 2c309660716b8f120810bbffa618e01841a54adcf4c99f1f9e305804b90453d6
                                                                                          • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                          • Opcode Fuzzy Hash: 2c309660716b8f120810bbffa618e01841a54adcf4c99f1f9e305804b90453d6
                                                                                          • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                          Function 0041B42F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 105fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,@N), ref: 0041B489
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,@N), ref: 0041B4BB
                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,@N), ref: 0041B529
                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,@N), ref: 0041B536
                                                                                            • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,@N), ref: 0041B50C
                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,@N), ref: 0041B561
                                                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,@N), ref: 0041B568
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,@N), ref: 0041B570
                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,@N), ref: 0041B583
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                          • String ID: @N
                                                                                          • API String ID: 2341273852-515963765
                                                                                          • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                          • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                          • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                          • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                          Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0$1$2$3$4$5$6$7
                                                                                          • API String ID: 0-3177665633
                                                                                          • Opcode ID: 9b02e51a1cc6672d7d2f4342b27c01cb84a2fdb077451789e1e817f40a25d538
                                                                                          • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                          • Opcode Fuzzy Hash: 9b02e51a1cc6672d7d2f4342b27c01cb84a2fdb077451789e1e817f40a25d538
                                                                                          • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                                          Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32 ref: 00409B3F
                                                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                          • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                          • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                          • GetKeyboardState.USER32(?), ref: 00409B67
                                                                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                          • String ID: 8[G
                                                                                          • API String ID: 1888522110-1691237782
                                                                                          • Opcode ID: 3e4cd20e139c82d1a9a354c0cd804b45f3e7cb2135d7d20bc0d0fffe1111d1b9
                                                                                          • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                          • Opcode Fuzzy Hash: 3e4cd20e139c82d1a9a354c0cd804b45f3e7cb2135d7d20bc0d0fffe1111d1b9
                                                                                          • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                          Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 00406788
                                                                                          • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Object_wcslen
                                                                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                          • API String ID: 240030777-3166923314
                                                                                          • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                          • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                          • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                          • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                          Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                          • GetLastError.KERNEL32 ref: 00419935
                                                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                          • String ID:
                                                                                          • API String ID: 3587775597-0
                                                                                          • Opcode ID: cbb4319f4ea4d4597f1e30bd7914a7df107bdaf14578ca57a6b92482c719bea5
                                                                                          • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                          • Opcode Fuzzy Hash: cbb4319f4ea4d4597f1e30bd7914a7df107bdaf14578ca57a6b92482c719bea5
                                                                                          • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                          Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                          • String ID: <D$<D$<D
                                                                                          • API String ID: 745075371-3495170934
                                                                                          • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                          • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                          • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                          • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                          Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Find$CreateFirstNext
                                                                                          • String ID: @CG$XCG$`HG$`HG$>G
                                                                                          • API String ID: 341183262-3780268858
                                                                                          • Opcode ID: 742361a3fec6c776918da606d4bbb20dd1a8ae69a81c3c61d5ab190246d774ad
                                                                                          • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                          • Opcode Fuzzy Hash: 742361a3fec6c776918da606d4bbb20dd1a8ae69a81c3c61d5ab190246d774ad
                                                                                          • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                          Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                          • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                          • GetLastError.KERNEL32 ref: 00409A1B
                                                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                          • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                          • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                          Strings
                                                                                          • Keylogger initialization failure: error , xrefs: 00409A32
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                          • String ID: Keylogger initialization failure: error
                                                                                          • API String ID: 3219506041-952744263
                                                                                          • Opcode ID: 394d2ed10b758bec866be95a73fe021b1c2c0c7c33502808925f3de31827cbba
                                                                                          • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                          • Opcode Fuzzy Hash: 394d2ed10b758bec866be95a73fe021b1c2c0c7c33502808925f3de31827cbba
                                                                                          • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                                          Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041301A
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00413026
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                          • API String ID: 2127411465-314212984
                                                                                          • Opcode ID: 0767d15232cb163887cacf19dc21778a0510e15ffd7329b49e292a3b92b7bfed
                                                                                          • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                          • Opcode Fuzzy Hash: 0767d15232cb163887cacf19dc21778a0510e15ffd7329b49e292a3b92b7bfed
                                                                                          • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                          Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                          • GetLastError.KERNEL32 ref: 0040B261
                                                                                          Strings
                                                                                          • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                          • UserProfile, xrefs: 0040B227
                                                                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteErrorFileLast
                                                                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                          • API String ID: 2018770650-1062637481
                                                                                          • Opcode ID: a7b2a17663120d4824e58c4836fec71886d2deb9142c979bd5b37fc2e6fd903f
                                                                                          • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                          • Opcode Fuzzy Hash: a7b2a17663120d4824e58c4836fec71886d2deb9142c979bd5b37fc2e6fd903f
                                                                                          • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                          Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                          • GetLastError.KERNEL32 ref: 00416B02
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                          • String ID: SeShutdownPrivilege
                                                                                          • API String ID: 3534403312-3733053543
                                                                                          • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                          • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                          • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                          • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                          Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __floor_pentium4
                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                          • API String ID: 4168288129-2761157908
                                                                                          • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                                                          • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                                                                          • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                                                          • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                                                                          Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 004089AE
                                                                                            • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                            • Part of subcall function 0040428C: connect.WS2_32(?,0050C168,00000010), ref: 004042A5
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                            • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(000002EC,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                            • Part of subcall function 00404468: SetEvent.KERNEL32(000002EC,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                            • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                            • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                            • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                          • String ID:
                                                                                          • API String ID: 4043647387-0
                                                                                          • Opcode ID: 023dc0bb17e3d4688fbad928f669f6b6b4ce6930fe0b3bcb6a9d897457014150
                                                                                          • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                          • Opcode Fuzzy Hash: 023dc0bb17e3d4688fbad928f669f6b6b4ce6930fe0b3bcb6a9d897457014150
                                                                                          • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                          Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                          • String ID:
                                                                                          • API String ID: 276877138-0
                                                                                          • Opcode ID: 50d0eb20569f235c126f5a3ccb9fed10f2149612a0ffcc28dffb27fdb097a1eb
                                                                                          • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                          • Opcode Fuzzy Hash: 50d0eb20569f235c126f5a3ccb9fed10f2149612a0ffcc28dffb27fdb097a1eb
                                                                                          • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                          Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                            • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                            • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                            • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                            • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                          • String ID: PowrProf.dll$SetSuspendState
                                                                                          • API String ID: 1589313981-1420736420
                                                                                          • Opcode ID: a9bdb05b4d57e85a2d4faed2f5f4237c9f13a829c7de5adf5ffc40db30ecdedd
                                                                                          • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                          • Opcode Fuzzy Hash: a9bdb05b4d57e85a2d4faed2f5f4237c9f13a829c7de5adf5ffc40db30ecdedd
                                                                                          • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                          Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                                                          • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID: ACP$OCP
                                                                                          • API String ID: 2299586839-711371036
                                                                                          • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                          • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                          • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                          • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                          Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                                          • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                          • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                          • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                          • String ID: SETTINGS
                                                                                          • API String ID: 3473537107-594951305
                                                                                          • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                          • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                          • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                          • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                          Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 00407A91
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstH_prologNext
                                                                                          • String ID:
                                                                                          • API String ID: 1157919129-0
                                                                                          • Opcode ID: 935e28bceb1b2dd29a33bdabc5781610e478b7f4932fb351d10d11ef5e821378
                                                                                          • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                          • Opcode Fuzzy Hash: 935e28bceb1b2dd29a33bdabc5781610e478b7f4932fb351d10d11ef5e821378
                                                                                          • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                          Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                          • _free.LIBCMT ref: 00448067
                                                                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                          • _free.LIBCMT ref: 00448233
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                          • String ID:
                                                                                          • API String ID: 1286116820-0
                                                                                          • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                          • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                                                          • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                          • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                                                          Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                          Strings
                                                                                          • open, xrefs: 0040622E
                                                                                          • C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DownloadExecuteFileShell
                                                                                          • String ID: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe$open
                                                                                          • API String ID: 2825088817-995846098
                                                                                          • Opcode ID: 4fbfc4d9441ce84f49f3affd9caa8ebb9edc2e7a1bd6b2ed6f93525bba792b6f
                                                                                          • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                          • Opcode Fuzzy Hash: 4fbfc4d9441ce84f49f3affd9caa8ebb9edc2e7a1bd6b2ed6f93525bba792b6f
                                                                                          • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                          Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileFind$FirstNextsend
                                                                                          • String ID: x@G$x@G
                                                                                          • API String ID: 4113138495-3390264752
                                                                                          • Opcode ID: 784674e8d6818078d961cd005be54c7bd986f13eb30e329a6d734e3aeb6873f3
                                                                                          • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                          • Opcode Fuzzy Hash: 784674e8d6818078d961cd005be54c7bd986f13eb30e329a6d734e3aeb6873f3
                                                                                          • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                          Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                            • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                            • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,@N,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                            • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateInfoParametersSystemValue
                                                                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                          • API String ID: 4127273184-3576401099
                                                                                          • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                                                          • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                          • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                                                          • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                          Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                                                          • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                                          • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 4212172061-0
                                                                                          • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                          • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                          • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                          • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                          Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileFind$FirstH_prologNext
                                                                                          • String ID:
                                                                                          • API String ID: 301083792-0
                                                                                          • Opcode ID: 0afeef2273bb365940aeeebd1ace48b2c35f122f2a18ff3fa38bca27594c9e3e
                                                                                          • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                          • Opcode Fuzzy Hash: 0afeef2273bb365940aeeebd1ace48b2c35f122f2a18ff3fa38bca27594c9e3e
                                                                                          • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                          Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                          • String ID:
                                                                                          • API String ID: 2829624132-0
                                                                                          • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                          • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                          • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                          • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                          Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                          • String ID:
                                                                                          • API String ID: 3906539128-0
                                                                                          • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                          • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                          • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                          • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                          Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0043A755
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0043A75F
                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043A76C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                          • String ID:
                                                                                          • API String ID: 3906539128-0
                                                                                          • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                          • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                          • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                          • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                          Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                          • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                          • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 1703294689-0
                                                                                          • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                          • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                          • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                          • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                          Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                                                                          • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                                                                          • ExitProcess.KERNEL32 ref: 0044258E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 1703294689-0
                                                                                          • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                          • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                          • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                          • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                          Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                                                                          • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseHandleOpenSuspend
                                                                                          • String ID:
                                                                                          • API String ID: 1999457699-0
                                                                                          • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                          • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                                                                          • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                          • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                                                                          Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                                                                          • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseHandleOpenResume
                                                                                          • String ID:
                                                                                          • API String ID: 3614150671-0
                                                                                          • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                          • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                                                                          • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                          • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                                                                          Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: .
                                                                                          • API String ID: 0-248832578
                                                                                          • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                          • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                                          • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                          • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                                          Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: .
                                                                                          • API String ID: 0-248832578
                                                                                          • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                          • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                                                          • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                          • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                                                          Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                          • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                          • String ID: <D
                                                                                          • API String ID: 1084509184-3866323178
                                                                                          • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                          • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                          • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                          • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                          Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                          • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                          • String ID: <D
                                                                                          • API String ID: 1084509184-3866323178
                                                                                          • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                          • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                          • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                          • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                          Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID: GetLocaleInfoEx
                                                                                          • API String ID: 2299586839-2904428671
                                                                                          • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                          • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                          • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                          • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                          Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                          • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                                                                          • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                          • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                                                                          Function 1000B5C1 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,1000B5BC,?,?,00000008,?,?,1000B25C,00000000), ref: 1000B7EE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionRaise
                                                                                          • String ID:
                                                                                          • API String ID: 3997070919-0
                                                                                          • Opcode ID: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                          • Instruction ID: c899a2dc376e060411cab8954cdd4c29929d9ba6cfa71f030d59b99a2ca162da
                                                                                          • Opcode Fuzzy Hash: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                          • Instruction Fuzzy Hash: 0DB16B31610A09CFE755CF28C486B647BE0FF453A4F25C658E89ACF2A5C735E982CB40
                                                                                          Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExceptionRaise
                                                                                          • String ID:
                                                                                          • API String ID: 3997070919-0
                                                                                          • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                          • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                                                                          • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                          • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                                                                          Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0
                                                                                          • API String ID: 0-4108050209
                                                                                          • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                          • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                                                                          • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                          • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                                                                          Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                          • String ID:
                                                                                          • API String ID: 1663032902-0
                                                                                          • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                          • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                          • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                          • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                          Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$InfoLocale_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 2692324296-0
                                                                                          • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                          • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                          • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                          • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                          Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                          • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                          • String ID:
                                                                                          • API String ID: 1272433827-0
                                                                                          • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                          • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                          • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                          • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                          Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                          • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 1084509184-0
                                                                                          • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                          • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                          • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                          • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                          Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                          • String ID:
                                                                                          • API String ID: 3192549508-0
                                                                                          • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                          • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                          • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                          • Instruction Fuzzy Hash:
                                                                                          Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: BG3i@
                                                                                          • API String ID: 0-2407888476
                                                                                          • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                          • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                                                                          • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                          • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                                                                          Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0
                                                                                          • API String ID: 0-4108050209
                                                                                          • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                          • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                                                                          • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                          • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                                                                          Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @
                                                                                          • API String ID: 0-2766056989
                                                                                          • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                          • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                                                                          • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                          • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                                                                          Function 00437150 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: >G
                                                                                          • API String ID: 0-1296849874
                                                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                          • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                          • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                                                                          Function 10017194 Relevance: .8, Instructions: 751COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                          • Instruction ID: 44f99013a838546abf86f75096a930c39f9ce457c7277da91ad5f6740c4fb7fb
                                                                                          • Opcode Fuzzy Hash: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                          • Instruction Fuzzy Hash: 89628C316083958FD324DF28C48469ABBF1FF85384F154A2DE9E98B391E771D989CB42
                                                                                          Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                          • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                                                                          • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                          • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                                                                          Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                                                          • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                                                                          • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                                                          • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                                                          Function 004267CB Relevance: .4, Instructions: 437COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                          • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                                                                          • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                          • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                                                                          Function 00426254 Relevance: .4, Instructions: 377COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                                                          • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                                                                          • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                                                          • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                                                                          Function 00431377 Relevance: .4, Instructions: 371COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                                                          • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                                                                          • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                                                          • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                                                                          Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                          • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                                                                          • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                          • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                                                                          Function 00436A8D Relevance: .3, Instructions: 254COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                          • Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
                                                                                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                          • Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624
                                                                                          Function 00436D48 Relevance: .2, Instructions: 244COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                          • Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
                                                                                          • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                          • Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624
                                                                                          Function 004367C6 Relevance: .2, Instructions: 240COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                          • Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
                                                                                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                          • Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624
                                                                                          Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                          • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                                                                          • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                          • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                                                                          Function 0043651C Relevance: .2, Instructions: 232COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                          • Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
                                                                                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                          • Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624
                                                                                          Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                          • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                                                                          • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                          • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                                                                          Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                          • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                                                                          • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                          • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                                                                          Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                            • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                          • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                          • DeleteDC.GDI32(?), ref: 0041805D
                                                                                          • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                          • GetCursorInfo.USER32(?), ref: 004180B5
                                                                                          • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                                          • DeleteObject.GDI32(?), ref: 004180FA
                                                                                          • DeleteObject.GDI32(?), ref: 00418107
                                                                                          • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                          • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                          • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                          • DeleteDC.GDI32(?), ref: 0041827F
                                                                                          • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                          • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                          • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                          • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                          • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                                          • DeleteDC.GDI32(?), ref: 0041835B
                                                                                          • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                          • DeleteDC.GDI32(?), ref: 00418398
                                                                                          • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                          • DeleteObject.GDI32(?), ref: 004183A1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                                                          • String ID: DISPLAY
                                                                                          • API String ID: 1352755160-865373369
                                                                                          • Opcode ID: 14ef04a11382e39a5d7ce1ed17fc5207626fd631db5641e6acf2cfebc1a14c6e
                                                                                          • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                          • Opcode Fuzzy Hash: 14ef04a11382e39a5d7ce1ed17fc5207626fd631db5641e6acf2cfebc1a14c6e
                                                                                          • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                                          Function 004112B5 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 189synchronizationsleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,@N,?,00000000), ref: 004112D4
                                                                                          • ExitProcess.KERNEL32 ref: 0041151D
                                                                                            • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,@N), ref: 00412679
                                                                                            • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                            • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                          • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                            • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                            • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                          • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                          • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                          • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                            • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                                            • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                                            • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                          • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                          • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                            • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                          • String ID: .exe$0DG$@CG$@N$T@$WDH$exepath$open$temp_
                                                                                          • API String ID: 4250697656-2589642081
                                                                                          • Opcode ID: 197af66009191922f4e5756cbe13be0694456b58e8e0c6d34c19e14a4caca06f
                                                                                          • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                          • Opcode Fuzzy Hash: 197af66009191922f4e5756cbe13be0694456b58e8e0c6d34c19e14a4caca06f
                                                                                          • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                          Function 0040C28E Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 282registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,@N,pth_unenc,0040BF26,004742E0,@N,?,pth_unenc), ref: 0040AFC9
                                                                                            • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                            • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                                                          • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                          • String ID: """, 0$")$@CG$@N$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                          • API String ID: 1861856835-2675256945
                                                                                          • Opcode ID: a0f600f49bf3dc62deacadc195efdc112691502130aed94f63629ad2c38e38da
                                                                                          • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                                                          • Opcode Fuzzy Hash: a0f600f49bf3dc62deacadc195efdc112691502130aed94f63629ad2c38e38da
                                                                                          • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                                                          Function 0040BF04 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,@N,?,pth_unenc), ref: 0040C013
                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,@N,?,pth_unenc), ref: 0040C056
                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,@N,?,pth_unenc), ref: 0040C065
                                                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,@N,pth_unenc,0040BF26,004742E0,@N,?,pth_unenc), ref: 0040AFC9
                                                                                            • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                            • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,@N), ref: 0041AB5F
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                          • ExitProcess.KERNEL32 ref: 0040C287
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                          • String ID: ")$.vbs$@CG$@N$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                          • API String ID: 3797177996-1225347947
                                                                                          • Opcode ID: 6fdb169e588ba5efd4694f387023577ef4881c3b43681ad391313d197d6ba7e6
                                                                                          • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                          • Opcode Fuzzy Hash: 6fdb169e588ba5efd4694f387023577ef4881c3b43681ad391313d197d6ba7e6
                                                                                          • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                                          Function 0041A1BB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                          • SetEvent.KERNEL32 ref: 0041A38A
                                                                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                          • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                          • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                          • API String ID: 738084811-2745919808
                                                                                          • Opcode ID: fa86cf05341072421914e5d1e1dcf176187f6b351948c508f9266be5b7dc4a46
                                                                                          • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                          • Opcode Fuzzy Hash: fa86cf05341072421914e5d1e1dcf176187f6b351948c508f9266be5b7dc4a46
                                                                                          • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                          Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                          • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                          • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                          • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Write$Create
                                                                                          • String ID: RIFF$WAVE$data$fmt
                                                                                          • API String ID: 1602526932-4212202414
                                                                                          • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                          • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                          • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                          • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                          Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                          • API String ID: 1646373207-389884819
                                                                                          • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                          • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                          • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                          • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                          Function 0040BC67 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 203fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 0040BC75
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                          • _wcslen.LIBCMT ref: 0040BD54
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                          • _wcslen.LIBCMT ref: 0040BE34
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                          • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                          • String ID: 6$@N$C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe$del$open$BG$BG
                                                                                          • API String ID: 1579085052-4255695264
                                                                                          • Opcode ID: cf2def00a9f54cbbdb09bd5ce01bb5f776fc8ce9134b0bd7acedba2fd5570a88
                                                                                          • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                          • Opcode Fuzzy Hash: cf2def00a9f54cbbdb09bd5ce01bb5f776fc8ce9134b0bd7acedba2fd5570a88
                                                                                          • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                          Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                            • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                            • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                          • _strlen.LIBCMT ref: 10001855
                                                                                          • _strlen.LIBCMT ref: 10001869
                                                                                          • _strlen.LIBCMT ref: 1000188B
                                                                                          • _strlen.LIBCMT ref: 100018AE
                                                                                          • _strlen.LIBCMT ref: 100018C8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _strlen$File$CopyCreateDelete
                                                                                          • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                          • API String ID: 3296212668-3023110444
                                                                                          • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                          • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                          • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                          • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                          Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                          • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                          • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                          • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                          • _wcslen.LIBCMT ref: 0041B2DB
                                                                                          • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                          • GetLastError.KERNEL32 ref: 0041B313
                                                                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                          • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                          • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                          • GetLastError.KERNEL32 ref: 0041B370
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                          • String ID: ?
                                                                                          • API String ID: 3941738427-1684325040
                                                                                          • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                          • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                          • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                          • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                          Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _strlen
                                                                                          • String ID: %m$~$Gon~$~F@7$~dra
                                                                                          • API String ID: 4218353326-230879103
                                                                                          • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                          • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                          • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                          • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                          Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$EnvironmentVariable$_wcschr
                                                                                          • String ID:
                                                                                          • API String ID: 3899193279-0
                                                                                          • Opcode ID: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                                                                          • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                          • Opcode Fuzzy Hash: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                                                                          • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                          Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                          • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                          • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                          • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                          • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                          • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                          • String ID: Close
                                                                                          • API String ID: 1657328048-3535843008
                                                                                          • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                          • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                          • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                          • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                          Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$Info
                                                                                          • String ID:
                                                                                          • API String ID: 2509303402-0
                                                                                          • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                          • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                          • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                          • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                          Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                          • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                          • __aulldiv.LIBCMT ref: 00407FE9
                                                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                          • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                          • API String ID: 1884690901-3066803209
                                                                                          • Opcode ID: 04dd7f9366dcb91c3dbb1a54be5b737fb15d6113bcf4a575a3a2a8f2f94803e4
                                                                                          • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                          • Opcode Fuzzy Hash: 04dd7f9366dcb91c3dbb1a54be5b737fb15d6113bcf4a575a3a2a8f2f94803e4
                                                                                          • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                          Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                            • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                            • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                            • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                            • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                          • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                          • API String ID: 3795512280-3163867910
                                                                                          • Opcode ID: db82f7fcbaed7571b09b5feda44f755d485f2160fd2ce4a4b86ee15c5daf0a77
                                                                                          • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                          • Opcode Fuzzy Hash: db82f7fcbaed7571b09b5feda44f755d485f2160fd2ce4a4b86ee15c5daf0a77
                                                                                          • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                                          Function 0040C66D Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 147COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                            • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,@N), ref: 00412679
                                                                                            • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                            • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                          • ExitProcess.KERNEL32 ref: 0040C832
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                          • String ID: """, 0$.vbs$@CG$@N$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                          • API String ID: 1913171305-4285318183
                                                                                          • Opcode ID: 2f523ed702ad3be297431ddc75cd15a8c1b0ab6ea1744de7960813c0f983d418
                                                                                          • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                          • Opcode Fuzzy Hash: 2f523ed702ad3be297431ddc75cd15a8c1b0ab6ea1744de7960813c0f983d418
                                                                                          • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                          Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                          • String ID: \ws2_32$\wship6$getaddrinfo
                                                                                          • API String ID: 2490988753-3078833738
                                                                                          • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                          • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                          • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                          • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                          Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                          • _free.LIBCMT ref: 10007CFB
                                                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                          • _free.LIBCMT ref: 10007D1D
                                                                                          • _free.LIBCMT ref: 10007D32
                                                                                          • _free.LIBCMT ref: 10007D3D
                                                                                          • _free.LIBCMT ref: 10007D5F
                                                                                          • _free.LIBCMT ref: 10007D72
                                                                                          • _free.LIBCMT ref: 10007D80
                                                                                          • _free.LIBCMT ref: 10007D8B
                                                                                          • _free.LIBCMT ref: 10007DC3
                                                                                          • _free.LIBCMT ref: 10007DCA
                                                                                          • _free.LIBCMT ref: 10007DE7
                                                                                          • _free.LIBCMT ref: 10007DFF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                          • String ID:
                                                                                          • API String ID: 161543041-0
                                                                                          • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                          • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                          • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                          • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                          Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                          • _free.LIBCMT ref: 004500A6
                                                                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                          • _free.LIBCMT ref: 004500C8
                                                                                          • _free.LIBCMT ref: 004500DD
                                                                                          • _free.LIBCMT ref: 004500E8
                                                                                          • _free.LIBCMT ref: 0045010A
                                                                                          • _free.LIBCMT ref: 0045011D
                                                                                          • _free.LIBCMT ref: 0045012B
                                                                                          • _free.LIBCMT ref: 00450136
                                                                                          • _free.LIBCMT ref: 0045016E
                                                                                          • _free.LIBCMT ref: 00450175
                                                                                          • _free.LIBCMT ref: 00450192
                                                                                          • _free.LIBCMT ref: 004501AA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                          • String ID:
                                                                                          • API String ID: 161543041-0
                                                                                          • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                          • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                          • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                          • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                          Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 0041912D
                                                                                          • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                          • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                          • API String ID: 489098229-65789007
                                                                                          • Opcode ID: a9c30b7ca3c23df960a62182adde5b6ece1c29b97acb22a7f74f9b7218aaac53
                                                                                          • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                          • Opcode Fuzzy Hash: a9c30b7ca3c23df960a62182adde5b6ece1c29b97acb22a7f74f9b7218aaac53
                                                                                          • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                          Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID:
                                                                                          • API String ID: 269201875-0
                                                                                          • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                          • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                          • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                          • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                          Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                                          • GetLastError.KERNEL32 ref: 00454A96
                                                                                          • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                          • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                                          • GetLastError.KERNEL32 ref: 00454AB3
                                                                                          • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                          • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                          • GetLastError.KERNEL32 ref: 00454C58
                                                                                          • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                          • String ID: H
                                                                                          • API String ID: 4237864984-2852464175
                                                                                          • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                          • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                          • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                          • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                          Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                          • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                          • GetForegroundWindow.USER32 ref: 0040A467
                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                          • String ID: [${ User has been idle for $ minutes }$]
                                                                                          • API String ID: 911427763-3954389425
                                                                                          • Opcode ID: 1250248c4d62d117fc355c5487db7b218e06681236761ca8f2fc6291dfaaf1f0
                                                                                          • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                          • Opcode Fuzzy Hash: 1250248c4d62d117fc355c5487db7b218e06681236761ca8f2fc6291dfaaf1f0
                                                                                          • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                                          Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 65535$udp
                                                                                          • API String ID: 0-1267037602
                                                                                          • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                          • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                          • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                          • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                          Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                          • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                          • String ID: <$@$@FG$@FG$TUF$Temp
                                                                                          • API String ID: 1107811701-4124992407
                                                                                          • Opcode ID: 5f2e0ce368fa88a4ca348f9bf9bce08a5d1f29e72c0c6804c22944a99ab02f9d
                                                                                          • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                          • Opcode Fuzzy Hash: 5f2e0ce368fa88a4ca348f9bf9bce08a5d1f29e72c0c6804c22944a99ab02f9d
                                                                                          • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                          Function 00406616 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                          • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe), ref: 00406705
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CurrentProcess
                                                                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir$BG3i@
                                                                                          • API String ID: 2050909247-1144799832
                                                                                          • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                          • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                          • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                          • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                          Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                          • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                          • __dosmaperr.LIBCMT ref: 004393CD
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                          • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                          • __dosmaperr.LIBCMT ref: 0043940A
                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                          • __dosmaperr.LIBCMT ref: 0043945E
                                                                                          • _free.LIBCMT ref: 0043946A
                                                                                          • _free.LIBCMT ref: 00439471
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                          • String ID:
                                                                                          • API String ID: 2441525078-0
                                                                                          • Opcode ID: 2894fcbb1f162653cfe1ba04bc0a5a8f03630905280e1a3511de0c112cb5b03f
                                                                                          • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                          • Opcode Fuzzy Hash: 2894fcbb1f162653cfe1ba04bc0a5a8f03630905280e1a3511de0c112cb5b03f
                                                                                          • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                          Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetEvent.KERNEL32(?), ref: 00404E71
                                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                          • TranslateMessage.USER32(?), ref: 00404F30
                                                                                          • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00404FF3
                                                                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                          • API String ID: 2956720200-749203953
                                                                                          • Opcode ID: d07fa74f3685580e432c49e9c9dfc6b572ff3ab8f2e6598ee090209010c7d529
                                                                                          • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                          • Opcode Fuzzy Hash: d07fa74f3685580e432c49e9c9dfc6b572ff3ab8f2e6598ee090209010c7d529
                                                                                          • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                          Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: 8f568d79055422364b0fc155fd47d6165a7356d41c75c5dcd4a60a29222dfb7a
                                                                                          • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                          • Opcode Fuzzy Hash: 8f568d79055422364b0fc155fd47d6165a7356d41c75c5dcd4a60a29222dfb7a
                                                                                          • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                          Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 100059EA
                                                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                          • _free.LIBCMT ref: 100059F6
                                                                                          • _free.LIBCMT ref: 10005A01
                                                                                          • _free.LIBCMT ref: 10005A0C
                                                                                          • _free.LIBCMT ref: 10005A17
                                                                                          • _free.LIBCMT ref: 10005A22
                                                                                          • _free.LIBCMT ref: 10005A2D
                                                                                          • _free.LIBCMT ref: 10005A38
                                                                                          • _free.LIBCMT ref: 10005A43
                                                                                          • _free.LIBCMT ref: 10005A51
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                          • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                          • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                          • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                          Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 00446DDF
                                                                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                          • _free.LIBCMT ref: 00446DEB
                                                                                          • _free.LIBCMT ref: 00446DF6
                                                                                          • _free.LIBCMT ref: 00446E01
                                                                                          • _free.LIBCMT ref: 00446E0C
                                                                                          • _free.LIBCMT ref: 00446E17
                                                                                          • _free.LIBCMT ref: 00446E22
                                                                                          • _free.LIBCMT ref: 00446E2D
                                                                                          • _free.LIBCMT ref: 00446E38
                                                                                          • _free.LIBCMT ref: 00446E46
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                          • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                          • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                          • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                          Function 0041B824 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                                                          Strings
                                                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B83C
                                                                                          • DisplayName, xrefs: 0041B8D1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEnumOpen
                                                                                          • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                          • API String ID: 1332880857-3614651759
                                                                                          • Opcode ID: be487d9418a7434aad95e9825c4fb99dbac0c7fe4d506b3d910b5bf4207956f9
                                                                                          • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                                                          • Opcode Fuzzy Hash: be487d9418a7434aad95e9825c4fb99dbac0c7fe4d506b3d910b5bf4207956f9
                                                                                          • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                                                          Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Eventinet_ntoa
                                                                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                          • API String ID: 3578746661-4192532303
                                                                                          • Opcode ID: 66e9f6c76bf8d36a68d5b5767ac5bdd17a7e7421353926ae8cb0ba132bd8e5b5
                                                                                          • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                          • Opcode Fuzzy Hash: 66e9f6c76bf8d36a68d5b5767ac5bdd17a7e7421353926ae8cb0ba132bd8e5b5
                                                                                          • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                          Function 00401768 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 142threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ExitThread.KERNEL32 ref: 004017F4
                                                                                            • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                            • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                            • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                          • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                            • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                            • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                          • String ID: (N$T=G$p[G$>G$>G
                                                                                          • API String ID: 1596592924-3666623372
                                                                                          • Opcode ID: 060fbae815ca74fcc89c057f3ca3201a7b647a0ea9831cfa2eedc3502e4513c6
                                                                                          • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                          • Opcode Fuzzy Hash: 060fbae815ca74fcc89c057f3ca3201a7b647a0ea9831cfa2eedc3502e4513c6
                                                                                          • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                          Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                          • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CreateDeleteExecuteShellSleep
                                                                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                          • API String ID: 1462127192-2001430897
                                                                                          • Opcode ID: d21e0b7444ef16f4815b063b5dd4add99d6b7eb9d38a6b663a45f1baa0c704e9
                                                                                          • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                          • Opcode Fuzzy Hash: d21e0b7444ef16f4815b063b5dd4add99d6b7eb9d38a6b663a45f1baa0c704e9
                                                                                          • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                          Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _strftime.LIBCMT ref: 00401AD3
                                                                                            • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                          • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                          • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                          • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                          • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                          • API String ID: 3809562944-3643129801
                                                                                          • Opcode ID: b5da03968aa696b061eefe29f3213ebb6219f06a5946cc2e5b54c1b13d12e9c1
                                                                                          • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                          • Opcode Fuzzy Hash: b5da03968aa696b061eefe29f3213ebb6219f06a5946cc2e5b54c1b13d12e9c1
                                                                                          • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                          Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                          • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                          • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                          • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                          • waveInStart.WINMM ref: 00401A81
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                          • String ID: XCG$`=G$x=G
                                                                                          • API String ID: 1356121797-903574159
                                                                                          • Opcode ID: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                                                                          • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                          • Opcode Fuzzy Hash: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                                                                          • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                          Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                            • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                            • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                            • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                          • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                          • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                          • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                          • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                          • String ID: Remcos
                                                                                          • API String ID: 1970332568-165870891
                                                                                          • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                          • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                          • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                          • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                          Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0747812b3ef30bf307ff75b73c960c026ca27f542f29018827700d11bc9c6ccf
                                                                                          • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                          • Opcode Fuzzy Hash: 0747812b3ef30bf307ff75b73c960c026ca27f542f29018827700d11bc9c6ccf
                                                                                          • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                          Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                                                          • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                                                          • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                                                          • __freea.LIBCMT ref: 00452DAA
                                                                                          • __freea.LIBCMT ref: 00452DB6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                          • String ID:
                                                                                          • API String ID: 201697637-0
                                                                                          • Opcode ID: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                                                          • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                          • Opcode Fuzzy Hash: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                                                          • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                          Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                          • String ID:
                                                                                          • API String ID: 1454806937-0
                                                                                          • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                          • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                          • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                          • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                          Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                          • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                          • _free.LIBCMT ref: 00444714
                                                                                          • _free.LIBCMT ref: 0044472D
                                                                                          • _free.LIBCMT ref: 0044475F
                                                                                          • _free.LIBCMT ref: 00444768
                                                                                          • _free.LIBCMT ref: 00444774
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorLast$_abort_memcmp
                                                                                          • String ID: C
                                                                                          • API String ID: 1679612858-1037565863
                                                                                          • Opcode ID: d6a65fe66c69fa62a0c34ca2f35337999b99eaaf5e5ef6fd5731e43fc5362228
                                                                                          • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                          • Opcode Fuzzy Hash: d6a65fe66c69fa62a0c34ca2f35337999b99eaaf5e5ef6fd5731e43fc5362228
                                                                                          • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                          Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: tcp$udp
                                                                                          • API String ID: 0-3725065008
                                                                                          • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                          • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                          • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                          • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                          Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                            • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                            • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEnumInfoOpenQuerysend
                                                                                          • String ID: TUF$TUFTUF$>G$DG$DG
                                                                                          • API String ID: 3114080316-72097156
                                                                                          • Opcode ID: 9d675812e21c4edee355bf5c13d9b4aae5657541a44311af8ef9872d0ed657c0
                                                                                          • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                          • Opcode Fuzzy Hash: 9d675812e21c4edee355bf5c13d9b4aae5657541a44311af8ef9872d0ed657c0
                                                                                          • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                          Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                            • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                            • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                          • String ID: .part
                                                                                          • API String ID: 1303771098-3499674018
                                                                                          • Opcode ID: 5610bc5f6e39d3a578a479bf42043ce2c794b33f9a6bdb85f7b999220e864034
                                                                                          • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                          • Opcode Fuzzy Hash: 5610bc5f6e39d3a578a479bf42043ce2c794b33f9a6bdb85f7b999220e864034
                                                                                          • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                          Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                            • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                            • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                            • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                            • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                          • _wcslen.LIBCMT ref: 0041A8F6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                          • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                          • API String ID: 3286818993-703403762
                                                                                          • Opcode ID: 3dd2e44a30b9e0726aafea5caaac72e33bd3badc141b86d0a3af8b333098f802
                                                                                          • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                          • Opcode Fuzzy Hash: 3dd2e44a30b9e0726aafea5caaac72e33bd3badc141b86d0a3af8b333098f802
                                                                                          • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                          Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                            • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                            • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                          • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                                                                          • API String ID: 1133728706-1738023494
                                                                                          • Opcode ID: fb6bd2806f06ec71fb5b304bda60ba0cad542d4ddec00b303a18f78be82dbe5b
                                                                                          • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                          • Opcode Fuzzy Hash: fb6bd2806f06ec71fb5b304bda60ba0cad542d4ddec00b303a18f78be82dbe5b
                                                                                          • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                          Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                          • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Console$Window$AllocOutputShow
                                                                                          • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                          • API String ID: 4067487056-2527699604
                                                                                          • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                          • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                          • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                          • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                          Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                                                                          • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                                                                          • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                          • __freea.LIBCMT ref: 00449B37
                                                                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                          • __freea.LIBCMT ref: 00449B40
                                                                                          • __freea.LIBCMT ref: 00449B65
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 3864826663-0
                                                                                          • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                                                          • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                          • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                                                          • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                          Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendInput.USER32 ref: 00418B08
                                                                                          • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                          • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                            • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InputSend$Virtual
                                                                                          • String ID:
                                                                                          • API String ID: 1167301434-0
                                                                                          • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                          • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                          • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                          • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                          Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenClipboard.USER32 ref: 00415A46
                                                                                          • EmptyClipboard.USER32 ref: 00415A54
                                                                                          • CloseClipboard.USER32 ref: 00415A5A
                                                                                          • OpenClipboard.USER32 ref: 00415A61
                                                                                          • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                          • CloseClipboard.USER32 ref: 00415A89
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                          • String ID:
                                                                                          • API String ID: 2172192267-0
                                                                                          • Opcode ID: 8c20eb73d0c573b3589a1d7e4d7d70423697efab0c1071ae27cfa6a5c3502862
                                                                                          • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                          • Opcode Fuzzy Hash: 8c20eb73d0c573b3589a1d7e4d7d70423697efab0c1071ae27cfa6a5c3502862
                                                                                          • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                          Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 00447EBC
                                                                                          • _free.LIBCMT ref: 00447EE0
                                                                                          • _free.LIBCMT ref: 00448067
                                                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                          • _free.LIBCMT ref: 00448233
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                          • String ID:
                                                                                          • API String ID: 314583886-0
                                                                                          • Opcode ID: 978846fda2128c97431eceff056d37264033e8c1365c30a17839f00b24d8827c
                                                                                          • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                                                          • Opcode Fuzzy Hash: 978846fda2128c97431eceff056d37264033e8c1365c30a17839f00b24d8827c
                                                                                          • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                                                          Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID:
                                                                                          • API String ID: 269201875-0
                                                                                          • Opcode ID: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                                                          • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                          • Opcode Fuzzy Hash: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                                                          • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                          Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                          • _free.LIBCMT ref: 00444086
                                                                                          • _free.LIBCMT ref: 0044409D
                                                                                          • _free.LIBCMT ref: 004440BC
                                                                                          • _free.LIBCMT ref: 004440D7
                                                                                          • _free.LIBCMT ref: 004440EE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$AllocateHeap
                                                                                          • String ID: J7D
                                                                                          • API String ID: 3033488037-1677391033
                                                                                          • Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                                                          • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                          • Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                                                          • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                          Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                                                                          • __fassign.LIBCMT ref: 1000954F
                                                                                          • __fassign.LIBCMT ref: 1000956A
                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                          • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                                                                          • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                          • String ID:
                                                                                          • API String ID: 1324828854-0
                                                                                          • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                          • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                          • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                          • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                          Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                                                          • __fassign.LIBCMT ref: 0044A180
                                                                                          • __fassign.LIBCMT ref: 0044A19B
                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                                                          • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                                          • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                          • String ID:
                                                                                          • API String ID: 1324828854-0
                                                                                          • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                          • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                          • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                          • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                          Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID: HE$HE
                                                                                          • API String ID: 269201875-1978648262
                                                                                          • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                          • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                          • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                          • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                          Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                            • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                            • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                            • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                                                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                          • String ID: PgF
                                                                                          • API String ID: 2180151492-654241383
                                                                                          • Opcode ID: 159c1e84a2f93b72ade8697b092ad18f3883c1f87a00b09f3a89ddcac0a0cbdd
                                                                                          • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                          • Opcode Fuzzy Hash: 159c1e84a2f93b72ade8697b092ad18f3883c1f87a00b09f3a89ddcac0a0cbdd
                                                                                          • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                          Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                          • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                          • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                          • String ID: csm
                                                                                          • API String ID: 1170836740-1018135373
                                                                                          • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                          • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                          • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                          • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                          Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                          • String ID: csm
                                                                                          • API String ID: 1170836740-1018135373
                                                                                          • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                          • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                          • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                          • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                          Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 893373978a8f63a806f149930d37a519c5179eb32fa122ac40cbdb5ec79234b4
                                                                                          • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                          • Opcode Fuzzy Hash: 893373978a8f63a806f149930d37a519c5179eb32fa122ac40cbdb5ec79234b4
                                                                                          • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                          Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                          • int.LIBCPMT ref: 0040FC0F
                                                                                            • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                            • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                          • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                          • String ID: P[G
                                                                                          • API String ID: 2536120697-571123470
                                                                                          • Opcode ID: 9dc93271d8ca2c5a2fe1f23905a31ea5d19b989abd63f293402e2a51e6b4ac0b
                                                                                          • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                          • Opcode Fuzzy Hash: 9dc93271d8ca2c5a2fe1f23905a31ea5d19b989abd63f293402e2a51e6b4ac0b
                                                                                          • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                          Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                          • _free.LIBCMT ref: 100092AB
                                                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                          • _free.LIBCMT ref: 100092B6
                                                                                          • _free.LIBCMT ref: 100092C1
                                                                                          • _free.LIBCMT ref: 10009315
                                                                                          • _free.LIBCMT ref: 10009320
                                                                                          • _free.LIBCMT ref: 1000932B
                                                                                          • _free.LIBCMT ref: 10009336
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                          • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                          • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                          • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                          Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                          • _free.LIBCMT ref: 0044FD29
                                                                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                          • _free.LIBCMT ref: 0044FD34
                                                                                          • _free.LIBCMT ref: 0044FD3F
                                                                                          • _free.LIBCMT ref: 0044FD93
                                                                                          • _free.LIBCMT ref: 0044FD9E
                                                                                          • _free.LIBCMT ref: 0044FDA9
                                                                                          • _free.LIBCMT ref: 0044FDB4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                          • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                          • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                          • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                          Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe), ref: 00406835
                                                                                            • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                            • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                          • CoUninitialize.OLE32 ref: 0040688E
                                                                                          Strings
                                                                                          • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                                                                          • [+] before ShellExec, xrefs: 00406856
                                                                                          • C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                                                                          • [+] ShellExec success, xrefs: 00406873
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InitializeObjectUninitialize_wcslen
                                                                                          • String ID: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                          • API String ID: 3851391207-3651616296
                                                                                          • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                          • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                          • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                          • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                          Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                          • int.LIBCPMT ref: 0040FEF2
                                                                                            • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                            • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                          • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                          • String ID: H]G
                                                                                          • API String ID: 2536120697-1717957184
                                                                                          • Opcode ID: 831260e2e50258e734e800f671c2e221e985db4fe4157639c37b4271b6a7a30d
                                                                                          • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                          • Opcode Fuzzy Hash: 831260e2e50258e734e800f671c2e221e985db4fe4157639c37b4271b6a7a30d
                                                                                          • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                          Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                          • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                          Strings
                                                                                          • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                          • UserProfile, xrefs: 0040B2B4
                                                                                          • [Chrome Cookies not found], xrefs: 0040B308
                                                                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteErrorFileLast
                                                                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                          • API String ID: 2018770650-304995407
                                                                                          • Opcode ID: dd78de24b3325a0bfbf2949613afc2d358e081220bc636fac14671edb4b67a18
                                                                                          • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                          • Opcode Fuzzy Hash: dd78de24b3325a0bfbf2949613afc2d358e081220bc636fac14671edb4b67a18
                                                                                          • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                          Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • Rmc-QJ4441, xrefs: 0040693F
                                                                                          • BG, xrefs: 00406909
                                                                                          • C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, xrefs: 00406927
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe$Rmc-QJ4441$BG
                                                                                          • API String ID: 0-4246756317
                                                                                          • Opcode ID: 51f1828bc25dd4c0d61216237760cedcfa3e45f86a5da5526d20c461b23c031b
                                                                                          • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                          • Opcode Fuzzy Hash: 51f1828bc25dd4c0d61216237760cedcfa3e45f86a5da5526d20c461b23c031b
                                                                                          • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                          Function 00412774 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                                          • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,@N,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                                          • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateValue
                                                                                          • String ID: @N$pth_unenc$BG
                                                                                          • API String ID: 1818849710-3259445745
                                                                                          • Opcode ID: 7fb84232b7661129f93bed74f5109d0e76784bc5d303e4d247da168f20c3a91f
                                                                                          • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                          • Opcode Fuzzy Hash: 7fb84232b7661129f93bed74f5109d0e76784bc5d303e4d247da168f20c3a91f
                                                                                          • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                          Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __allrem.LIBCMT ref: 00439789
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                          • __allrem.LIBCMT ref: 004397BC
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                          • __allrem.LIBCMT ref: 004397F1
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                          • String ID:
                                                                                          • API String ID: 1992179935-0
                                                                                          • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                          • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                          • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                          • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                          Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                          • __freea.LIBCMT ref: 10008A08
                                                                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                          • __freea.LIBCMT ref: 10008A11
                                                                                          • __freea.LIBCMT ref: 10008A36
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 1414292761-0
                                                                                          • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                          • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                          • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                          • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                          Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __cftoe
                                                                                          • String ID:
                                                                                          • API String ID: 4189289331-0
                                                                                          • Opcode ID: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                                                          • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                          • Opcode Fuzzy Hash: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                                                          • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                          Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __freea$__alloca_probe_16
                                                                                          • String ID: a/p$am/pm
                                                                                          • API String ID: 3509577899-3206640213
                                                                                          • Opcode ID: b7a8f278bf47528e4a7b6c0293cf3492489fb7de6840faf8b14e2fc4a7d4cdfd
                                                                                          • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                          • Opcode Fuzzy Hash: b7a8f278bf47528e4a7b6c0293cf3492489fb7de6840faf8b14e2fc4a7d4cdfd
                                                                                          • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                          Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _strlen.LIBCMT ref: 10001607
                                                                                          • _strcat.LIBCMT ref: 1000161D
                                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                          • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                          • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                          • String ID:
                                                                                          • API String ID: 1922816806-0
                                                                                          • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                          • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                          • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                          • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                          Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrlen$AttributesFilelstrcat
                                                                                          • String ID:
                                                                                          • API String ID: 3594823470-0
                                                                                          • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                          • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                          • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                          • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                          Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                          • String ID:
                                                                                          • API String ID: 493672254-0
                                                                                          • Opcode ID: 68f1e835941cc6574ae3172da8245a4dbba7b98562f75027ccb4571b71c43179
                                                                                          • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                          • Opcode Fuzzy Hash: 68f1e835941cc6574ae3172da8245a4dbba7b98562f75027ccb4571b71c43179
                                                                                          • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                          Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                          • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                          • String ID:
                                                                                          • API String ID: 3852720340-0
                                                                                          • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                          • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                          • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                          • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                          Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                          • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                          • String ID:
                                                                                          • API String ID: 3852720340-0
                                                                                          • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                          • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                          • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                          • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                          Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                          • _free.LIBCMT ref: 10005B2D
                                                                                          • _free.LIBCMT ref: 10005B55
                                                                                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                          • _abort.LIBCMT ref: 10005B74
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                          • String ID:
                                                                                          • API String ID: 3160817290-0
                                                                                          • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                          • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                          • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                          • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                          Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                                          • _free.LIBCMT ref: 00446EF6
                                                                                          • _free.LIBCMT ref: 00446F1E
                                                                                          • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                                          • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                                          • _abort.LIBCMT ref: 00446F3D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                          • String ID:
                                                                                          • API String ID: 3160817290-0
                                                                                          • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                          • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                          • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                          • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                          Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: cb23a265b501da1ed9a271a63ec08baaa1bf9c1cf5a7cec22900b30d8e19d8fa
                                                                                          • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                          • Opcode Fuzzy Hash: cb23a265b501da1ed9a271a63ec08baaa1bf9c1cf5a7cec22900b30d8e19d8fa
                                                                                          • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                          Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: 87463e1bdf8bb651a0013945517c704a9b2de3a64a82b3cc186aeafb224c7010
                                                                                          • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                          • Opcode Fuzzy Hash: 87463e1bdf8bb651a0013945517c704a9b2de3a64a82b3cc186aeafb224c7010
                                                                                          • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                          Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: ab1a1cc1830ffa19df902a2de4304976c1de8e56a3f0d841ebfd0113734f6356
                                                                                          • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                          • Opcode Fuzzy Hash: ab1a1cc1830ffa19df902a2de4304976c1de8e56a3f0d841ebfd0113734f6356
                                                                                          • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                          Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Enum$InfoQueryValue
                                                                                          • String ID: [regsplt]$DG
                                                                                          • API String ID: 3554306468-1089238109
                                                                                          • Opcode ID: aa434b596bc7cfc96ee37101ce23c477f57ee037bc457f691900a854acfd6d81
                                                                                          • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                          • Opcode Fuzzy Hash: aa434b596bc7cfc96ee37101ce23c477f57ee037bc457f691900a854acfd6d81
                                                                                          • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                          Function 004426D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe,00000104), ref: 00442714
                                                                                          • _free.LIBCMT ref: 004427DF
                                                                                          • _free.LIBCMT ref: 004427E9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$FileModuleName
                                                                                          • String ID: 8(M$C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                                          • API String ID: 2506810119-1711188051
                                                                                          • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                          • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                          • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                          • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                          Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                          • API String ID: 4036392271-1520055953
                                                                                          • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                          • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                          • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                          • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                          Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                            • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                            • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                          • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                            • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                            • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                          • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                          • API String ID: 2974294136-753205382
                                                                                          • Opcode ID: a1cc00de9957da759d23a8e4cc62257681437398d2961bd30ab7f179f304f9a5
                                                                                          • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                          • Opcode Fuzzy Hash: a1cc00de9957da759d23a8e4cc62257681437398d2961bd30ab7f179f304f9a5
                                                                                          • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                          Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                          • wsprintfW.USER32 ref: 0040A905
                                                                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: EventLocalTimewsprintf
                                                                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                          • API String ID: 1497725170-248792730
                                                                                          • Opcode ID: 0acfec947856b69bf132d91d358ab5bc594aef04b3e24661333035c5e4e38810
                                                                                          • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                          • Opcode Fuzzy Hash: 0acfec947856b69bf132d91d358ab5bc594aef04b3e24661333035c5e4e38810
                                                                                          • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                          Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                          • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandleSizeSleep
                                                                                          • String ID: `AG
                                                                                          • API String ID: 1958988193-3058481221
                                                                                          • Opcode ID: 4ebf0acc99a1bd76ecb676338ad5ca66b749e389f9c6bdc81adf82034e374675
                                                                                          • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                          • Opcode Fuzzy Hash: 4ebf0acc99a1bd76ecb676338ad5ca66b749e389f9c6bdc81adf82034e374675
                                                                                          • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                          Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                          • GetLastError.KERNEL32 ref: 0041CA91
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ClassCreateErrorLastRegisterWindow
                                                                                          • String ID: 0$MsgWindowClass
                                                                                          • API String ID: 2877667751-2410386613
                                                                                          • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                          • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                          • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                          • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                          Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                          • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                          • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                          Strings
                                                                                          • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateProcess
                                                                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                          • API String ID: 2922976086-4183131282
                                                                                          • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                          • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                          • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                          • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                          Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                          • API String ID: 4061214504-1276376045
                                                                                          • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                          • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                          • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                          • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                          Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                          • API String ID: 4061214504-1276376045
                                                                                          • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                          • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                          • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                          • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                          Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                                                          • SetEvent.KERNEL32(00000318), ref: 00404AF9
                                                                                          • WaitForSingleObject.KERNEL32(000002EC,000000FF), ref: 00404B04
                                                                                          • CloseHandle.KERNEL32(000002EC), ref: 00404B0D
                                                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                          • String ID: KeepAlive | Disabled
                                                                                          • API String ID: 2993684571-305739064
                                                                                          • Opcode ID: 6a2e9fed7c31a08c387878a041e76ce1f8cb1591724bfece31842f89ecd98ae4
                                                                                          • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                          • Opcode Fuzzy Hash: 6a2e9fed7c31a08c387878a041e76ce1f8cb1591724bfece31842f89ecd98ae4
                                                                                          • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                          Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                          • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                          • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                          • String ID: Alarm triggered
                                                                                          • API String ID: 614609389-2816303416
                                                                                          • Opcode ID: b235acc6dc62185f624d205ca418591b0f75406fe2ec0c8e15ad043012baae45
                                                                                          • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                          • Opcode Fuzzy Hash: b235acc6dc62185f624d205ca418591b0f75406fe2ec0c8e15ad043012baae45
                                                                                          • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                          Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                          • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                                          • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                                          Strings
                                                                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                          • API String ID: 3024135584-2418719853
                                                                                          • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                          • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                          • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                          • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                          Function 0040AFBA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • TerminateThread.KERNEL32(004099A9,00000000,@N,pth_unenc,0040BF26,004742E0,@N,?,pth_unenc), ref: 0040AFC9
                                                                                          • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                          • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: TerminateThread$HookUnhookWindows
                                                                                          • String ID: @N$pth_unenc
                                                                                          • API String ID: 3123878439-4203875443
                                                                                          • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                          • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                          • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                          • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                          Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                                                                          • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                          • Opcode Fuzzy Hash: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                                                                          • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                          Function 00403DE7 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 135sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                            • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prologSleep
                                                                                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                                          • API String ID: 3469354165-3547787478
                                                                                          • Opcode ID: e01c4c90dbe669269fad3787da65842fc1792a43e85c724be277fc682f696f90
                                                                                          • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                          • Opcode Fuzzy Hash: e01c4c90dbe669269fad3787da65842fc1792a43e85c724be277fc682f696f90
                                                                                          • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                          Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID:
                                                                                          • API String ID: 269201875-0
                                                                                          • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                          • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                          • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                          • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                          Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                                                                          • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                                                                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                                                                          • __freea.LIBCMT ref: 0044FFC4
                                                                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                          • String ID:
                                                                                          • API String ID: 313313983-0
                                                                                          • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                                                          • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                          • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                                                          • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                          Function 0040B806 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                          • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                          • @N, xrefs: 0040B93B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID: [Cleared browsers logins and cookies.]$@N$Cleared browsers logins and cookies.
                                                                                          • API String ID: 3472027048-3514449847
                                                                                          • Opcode ID: f93b6b6c96551599ebd69fe64bee0d63dad0637a340ebfcf96dabdaa3587bf98
                                                                                          • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                          • Opcode Fuzzy Hash: f93b6b6c96551599ebd69fe64bee0d63dad0637a340ebfcf96dabdaa3587bf98
                                                                                          • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                          Function 00411524 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,@N), ref: 00412679
                                                                                            • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                            • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                          • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQuerySleepValue
                                                                                          • String ID: @CG$@N$exepath$BG
                                                                                          • API String ID: 4119054056-73235481
                                                                                          • Opcode ID: ce40ddf8ade15cbc55dad7ca55a643431616a938a18cec2763378ea7843a65e0
                                                                                          • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                          • Opcode Fuzzy Hash: ce40ddf8ade15cbc55dad7ca55a643431616a938a18cec2763378ea7843a65e0
                                                                                          • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                          Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                          • _free.LIBCMT ref: 100071B8
                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                          • String ID:
                                                                                          • API String ID: 336800556-0
                                                                                          • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                          • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                          • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                          • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                          Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                          • _free.LIBCMT ref: 0044E1A0
                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                          • String ID:
                                                                                          • API String ID: 336800556-0
                                                                                          • Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                                                          • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                          • Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                                                          • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                          Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                          • _free.LIBCMT ref: 10005BB4
                                                                                          • _free.LIBCMT ref: 10005BDB
                                                                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free
                                                                                          • String ID:
                                                                                          • API String ID: 3170660625-0
                                                                                          • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                          • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                          • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                          • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                          Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(00000000,?,?,00445359,00446B42,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578), ref: 00446F48
                                                                                          • _free.LIBCMT ref: 00446F7D
                                                                                          • _free.LIBCMT ref: 00446FA4
                                                                                          • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                                                                          • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free
                                                                                          • String ID:
                                                                                          • API String ID: 3170660625-0
                                                                                          • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                          • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                          • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                          • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                          Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                          • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseHandleOpen$FileImageName
                                                                                          • String ID:
                                                                                          • API String ID: 2951400881-0
                                                                                          • Opcode ID: b8726634bc2d24e9c2e2bc3987753934be5434803c47aebb3633f4ceaff1eb89
                                                                                          • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                          • Opcode Fuzzy Hash: b8726634bc2d24e9c2e2bc3987753934be5434803c47aebb3633f4ceaff1eb89
                                                                                          • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                          Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                          • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                          • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrlen$lstrcat
                                                                                          • String ID:
                                                                                          • API String ID: 493641738-0
                                                                                          • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                          • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                          • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                          • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                          Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 100091D0
                                                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                          • _free.LIBCMT ref: 100091E2
                                                                                          • _free.LIBCMT ref: 100091F4
                                                                                          • _free.LIBCMT ref: 10009206
                                                                                          • _free.LIBCMT ref: 10009218
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                          • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                          • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                          • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                          Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 0044F7B5
                                                                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                          • _free.LIBCMT ref: 0044F7C7
                                                                                          • _free.LIBCMT ref: 0044F7D9
                                                                                          • _free.LIBCMT ref: 0044F7EB
                                                                                          • _free.LIBCMT ref: 0044F7FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                          • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                          • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                          • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                          Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 1000536F
                                                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                          • _free.LIBCMT ref: 10005381
                                                                                          • _free.LIBCMT ref: 10005394
                                                                                          • _free.LIBCMT ref: 100053A5
                                                                                          • _free.LIBCMT ref: 100053B6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                          • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                          • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                          • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                          Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 00443305
                                                                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                          • _free.LIBCMT ref: 00443317
                                                                                          • _free.LIBCMT ref: 0044332A
                                                                                          • _free.LIBCMT ref: 0044333B
                                                                                          • _free.LIBCMT ref: 0044334C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                          • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                          • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                          • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                          Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                          • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                          • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                          • String ID: (FG
                                                                                          • API String ID: 3142014140-2273637114
                                                                                          • Opcode ID: fda56e45b393d4fbe729944c23874229a9f0d2b36fec767842575fa95d0cb5ce
                                                                                          • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                          • Opcode Fuzzy Hash: fda56e45b393d4fbe729944c23874229a9f0d2b36fec767842575fa95d0cb5ce
                                                                                          • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                          Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _strpbrk.LIBCMT ref: 0044D4A8
                                                                                          • _free.LIBCMT ref: 0044D5C5
                                                                                            • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,?,00414BBD,?,00000000,00000000,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                                                            • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                                                                            • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                          • String ID: *?$.
                                                                                          • API String ID: 2812119850-3972193922
                                                                                          • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                          • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                                                          • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                          • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                                                          Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                            • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                            • Part of subcall function 0040428C: connect.WS2_32(?,0050C168,00000010), ref: 004042A5
                                                                                            • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                            • Part of subcall function 00404468: send.WS2_32(000002F4,00000000,00000000,00000000), ref: 004044FD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                          • String ID: XCG$`AG$>G
                                                                                          • API String ID: 2334542088-2372832151
                                                                                          • Opcode ID: 42bc51c78dee6acbefb86a42c13474efe691e96bf1385950867561e892f876e1
                                                                                          • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                          • Opcode Fuzzy Hash: 42bc51c78dee6acbefb86a42c13474efe691e96bf1385950867561e892f876e1
                                                                                          • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                          Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe,00000104), ref: 10004C1D
                                                                                          • _free.LIBCMT ref: 10004CE8
                                                                                          • _free.LIBCMT ref: 10004CF2
                                                                                          Strings
                                                                                          • C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe, xrefs: 10004C14, 10004C1B, 10004C4A, 10004C82
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$FileModuleName
                                                                                          • String ID: C:\Users\user\Desktop\17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe
                                                                                          • API String ID: 2506810119-2774560372
                                                                                          • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                          • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                          • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                          • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                          Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                            • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,@N), ref: 0041AB5F
                                                                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                          • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                          • String ID: /sort "Visit Time" /stext "$8>G
                                                                                          • API String ID: 368326130-2663660666
                                                                                          • Opcode ID: e8a549f5c5cc42fa25f038c5153f07e649d559ba3fdd5c36896a34310632fdc4
                                                                                          • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                          • Opcode Fuzzy Hash: e8a549f5c5cc42fa25f038c5153f07e649d559ba3fdd5c36896a34310632fdc4
                                                                                          • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                          Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                          • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                                                                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateThread$LocalTimewsprintf
                                                                                          • String ID: Offline Keylogger Started
                                                                                          • API String ID: 465354869-4114347211
                                                                                          • Opcode ID: cb8a03be056689720b60d86a3406a6e62e156d1a3bd4db580f81fd222f69def5
                                                                                          • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                          • Opcode Fuzzy Hash: cb8a03be056689720b60d86a3406a6e62e156d1a3bd4db580f81fd222f69def5
                                                                                          • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                          Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                          • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateThread$LocalTime$wsprintf
                                                                                          • String ID: Online Keylogger Started
                                                                                          • API String ID: 112202259-1258561607
                                                                                          • Opcode ID: 790fcc5922756c448fefe1602dd0fb8a744b0b9e84c93640108f6d754dbc134a
                                                                                          • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                          • Opcode Fuzzy Hash: 790fcc5922756c448fefe1602dd0fb8a744b0b9e84c93640108f6d754dbc134a
                                                                                          • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                          Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                                          • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                          • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseErrorHandleLast__dosmaperr
                                                                                          • String ID: `@
                                                                                          • API String ID: 2583163307-951712118
                                                                                          • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                          • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                          • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                          • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                          Function 00419E89 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExistsFilePath
                                                                                          • String ID: TUF$alarm.wav$xIG
                                                                                          • API String ID: 1174141254-2188790166
                                                                                          • Opcode ID: f5716c598d93938de6c1b64b86aecc22f848ba1ae643d7b2288a8514a34d2b5c
                                                                                          • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                          • Opcode Fuzzy Hash: f5716c598d93938de6c1b64b86aecc22f848ba1ae643d7b2288a8514a34d2b5c
                                                                                          • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                          Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                          • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEventHandleObjectSingleWait
                                                                                          • String ID: Connection Timeout
                                                                                          • API String ID: 2055531096-499159329
                                                                                          • Opcode ID: e4aafb68730189f051766cfe717f4579ae2cf6b1a1b95cb5a966786d982b9e87
                                                                                          • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                          • Opcode Fuzzy Hash: e4aafb68730189f051766cfe717f4579ae2cf6b1a1b95cb5a966786d982b9e87
                                                                                          • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                          Function 004016E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • waveInPrepareHeader.WINMM(004EEF28,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                          • waveInAddBuffer.WINMM(004EEF28,00000020,?,00000000,00401913), ref: 0040175D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wave$BufferHeaderPrepare
                                                                                          • String ID: (N$T=G
                                                                                          • API String ID: 2315374483-3570399386
                                                                                          • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                          • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                          • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                          • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                          Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                            • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                            • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                          • String ID: bad locale name
                                                                                          • API String ID: 3628047217-1405518554
                                                                                          • Opcode ID: bd0a6a6dae6415356e731995008518494c413937943f369f1725fb776b78fea2
                                                                                          • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                          • Opcode Fuzzy Hash: bd0a6a6dae6415356e731995008518494c413937943f369f1725fb776b78fea2
                                                                                          • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                          Function 10004ED7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 10007153: GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                            • Part of subcall function 10007153: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                            • Part of subcall function 10007153: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                            • Part of subcall function 10007153: _free.LIBCMT ref: 100071B8
                                                                                            • Part of subcall function 10007153: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                          • _free.LIBCMT ref: 10004F1D
                                                                                          • _free.LIBCMT ref: 10004F24
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                          • String ID: pO$pO
                                                                                          • API String ID: 400815659-2849554193
                                                                                          • Opcode ID: e0fe51c550968720479aec1141248534f2a92988cecb2e3b51196d93947e3756
                                                                                          • Instruction ID: eaf7f0aa003ddc14549942adb29436a4b3c466950eec5de4e21d931d64d8bd94
                                                                                          • Opcode Fuzzy Hash: e0fe51c550968720479aec1141248534f2a92988cecb2e3b51196d93947e3756
                                                                                          • Instruction Fuzzy Hash: 7BE0E5A6A0D99291F261D23D7D4265E1B45CBC12F5B230226FC249B1CBDDA4D801109D
                                                                                          Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShell
                                                                                          • String ID: /C $cmd.exe$open
                                                                                          • API String ID: 587946157-3896048727
                                                                                          • Opcode ID: a342b09abf055597aed8f6fcd2cf2a15ee069eaa9ef8e66675d254ea24c1838a
                                                                                          • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                          • Opcode Fuzzy Hash: a342b09abf055597aed8f6fcd2cf2a15ee069eaa9ef8e66675d254ea24c1838a
                                                                                          • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                          Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __alldvrm$_strrchr
                                                                                          • String ID:
                                                                                          • API String ID: 1036877536-0
                                                                                          • Opcode ID: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                                                                          • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                          • Opcode Fuzzy Hash: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                                                                          • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                          Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                          • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                          • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                          • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                          Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                          • __freea.LIBCMT ref: 100087D5
                                                                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                          • String ID:
                                                                                          • API String ID: 2652629310-0
                                                                                          • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                          • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                          • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                          • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                          Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: SystemTimes$Sleep__aulldiv
                                                                                          • String ID:
                                                                                          • API String ID: 188215759-0
                                                                                          • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                          • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                                                                          • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                          • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                                                                          Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                            • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                            • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                                          • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                          • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Window$SleepText$ForegroundLength
                                                                                          • String ID: [ $ ]
                                                                                          • API String ID: 3309952895-93608704
                                                                                          • Opcode ID: ebd93478415d7ceaf08988c946588b0e8d461d13856b31c8a019e387675c6f26
                                                                                          • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                          • Opcode Fuzzy Hash: ebd93478415d7ceaf08988c946588b0e8d461d13856b31c8a019e387675c6f26
                                                                                          • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                          Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePointerWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3604237281-0
                                                                                          • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                          • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                          • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                          • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                          Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                          • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                          • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                          • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                          Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                          • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                          • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                          • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                          Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                            • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                            • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                          • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                          • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                          • String ID:
                                                                                          • API String ID: 737400349-0
                                                                                          • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                          • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                          • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                          • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                          Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                          • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 3177248105-0
                                                                                          • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                          • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                          • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                          • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                          Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00414BBD,00000000,00000000,?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                          • GetLastError.KERNEL32(?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 3177248105-0
                                                                                          • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                          • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                          • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                          • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                          Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                                          • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                                          • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                                          • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: MetricsSystem
                                                                                          • String ID:
                                                                                          • API String ID: 4116985748-0
                                                                                          • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                          • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                          • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                          • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                          Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorHandling__start
                                                                                          • String ID: pow
                                                                                          • API String ID: 3213639722-2276729525
                                                                                          • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                          • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                                          • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                          • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                                          Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 1000655C
                                                                                            • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                                                                            • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                                            • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                          • String ID: *?$.
                                                                                          • API String ID: 2667617558-3972193922
                                                                                          • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                          • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                                          • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                          • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                                          Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Info
                                                                                          • String ID: $fD
                                                                                          • API String ID: 1807457897-3092946448
                                                                                          • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                          • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                          • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                          • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                          Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                                                                            • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                          • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                                                                            • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                            • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                          • String ID: image/jpeg
                                                                                          • API String ID: 1291196975-3785015651
                                                                                          • Opcode ID: fa7ad5d4cca06413aa3153280c9deb26addd226233a17832a60259afbc4e9117
                                                                                          • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                                                                          • Opcode Fuzzy Hash: fa7ad5d4cca06413aa3153280c9deb26addd226233a17832a60259afbc4e9117
                                                                                          • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                                                          Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ACP$OCP
                                                                                          • API String ID: 0-711371036
                                                                                          • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                          • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                          • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                          • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                          Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                                                                            • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                                                                            • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                            • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                          • String ID: image/png
                                                                                          • API String ID: 1291196975-2966254431
                                                                                          • Opcode ID: 7c847f4afdc389cf9a271c0bd5ee0ce482c286e0475bb26b27d0e01e1af6b93a
                                                                                          • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                                                                          • Opcode Fuzzy Hash: 7c847f4afdc389cf9a271c0bd5ee0ce482c286e0475bb26b27d0e01e1af6b93a
                                                                                          • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                                                                          Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                          • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                          Strings
                                                                                          • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LocalTime
                                                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                                                          • API String ID: 481472006-1507639952
                                                                                          • Opcode ID: c85f398c135e6bfb2ddcb662ac4b5b76fbeb043ec222003978e5f459600d5f93
                                                                                          • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                          • Opcode Fuzzy Hash: c85f398c135e6bfb2ddcb662ac4b5b76fbeb043ec222003978e5f459600d5f93
                                                                                          • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                          Function 004336EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: LG$XG
                                                                                          • API String ID: 0-1482930923
                                                                                          • Opcode ID: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                                                                          • Instruction ID: b803d8f2fb0d60b71c32d24796bf113498d2ea24005d64aa96dbf80bf0db992b
                                                                                          • Opcode Fuzzy Hash: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                                                                          • Instruction Fuzzy Hash: CE11A3B1D01654AACB20EFA998017CFB7A55F09725F14D06BED18EF281D3B9DB408B98
                                                                                          Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _strlen
                                                                                          • String ID: : $Se.
                                                                                          • API String ID: 4218353326-4089948878
                                                                                          • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                          • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                          • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                          • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                          Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LocalTime
                                                                                          • String ID: | $%02i:%02i:%02i:%03i
                                                                                          • API String ID: 481472006-2430845779
                                                                                          • Opcode ID: ffbca637f7398eabbe71b31d60376a068a264cf4888f2c1ea49432b73ef532ec
                                                                                          • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                          • Opcode Fuzzy Hash: ffbca637f7398eabbe71b31d60376a068a264cf4888f2c1ea49432b73ef532ec
                                                                                          • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                          Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: QueryValue
                                                                                          • String ID: TUF
                                                                                          • API String ID: 3660427363-3431404234
                                                                                          • Opcode ID: 1636fbb0ac47c152b1cc20f2060babeef58eb75f28316eb00dcc0bc63989a3ea
                                                                                          • Instruction ID: 62a4949b47554db758ef5e9b715c6ec4cc130d120bf99ac1ec1555789b8052d8
                                                                                          • Opcode Fuzzy Hash: 1636fbb0ac47c152b1cc20f2060babeef58eb75f28316eb00dcc0bc63989a3ea
                                                                                          • Instruction Fuzzy Hash: BC01A7B6A00108BFDB049B95DD46EFF7ABDDF44240F10007AF901E2251E6749F009664
                                                                                          Function 0040B95C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000B806,00000000,00000000,00000000), ref: 0040B9C3
                                                                                            • Part of subcall function 0041246E: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                            • Part of subcall function 0041246E: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                            • Part of subcall function 0041246E: RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                            • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                            • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,@N), ref: 004124F5
                                                                                            • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue$CreateThread
                                                                                          • String ID: @N$`F
                                                                                          • API String ID: 3520877709-4048590658
                                                                                          • Opcode ID: d961a89bf5f709506fd819609016054ed950b758ba64f6afdf8bb4b0b1854337
                                                                                          • Instruction ID: e7c06676a50877b745d9b19ecfbe3f02a9f7dad16726040ce6249d743dc32a62
                                                                                          • Opcode Fuzzy Hash: d961a89bf5f709506fd819609016054ed950b758ba64f6afdf8bb4b0b1854337
                                                                                          • Instruction Fuzzy Hash: A0F0F461611224A7C710AB666D418AF6B9DCE83794720843FF905B7391EB789D0182ED
                                                                                          Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                            • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                                                          • String ID: Unknown exception
                                                                                          • API String ID: 3476068407-410509341
                                                                                          • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                          • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                          • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                          • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                                          Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                          • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                          • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                          • String ID: Online Keylogger Stopped
                                                                                          • API String ID: 1623830855-1496645233
                                                                                          • Opcode ID: a317c7f28f18b2fbfb0fce45f8699a20ca887b173ff606de2ff24ca0fd2e1774
                                                                                          • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                          • Opcode Fuzzy Hash: a317c7f28f18b2fbfb0fce45f8699a20ca887b173ff606de2ff24ca0fd2e1774
                                                                                          • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                          Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LocaleValid
                                                                                          • String ID: IsValidLocaleName$j=D
                                                                                          • API String ID: 1901932003-3128777819
                                                                                          • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                          • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                          • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                          • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                          Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog
                                                                                          • String ID: T=G$T=G
                                                                                          • API String ID: 3519838083-3732185208
                                                                                          • Opcode ID: d35d56db29c3f898e339c7594dbfd576fe9197a4ca502cfea50645c21fb802bf
                                                                                          • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                                          • Opcode Fuzzy Hash: d35d56db29c3f898e339c7594dbfd576fe9197a4ca502cfea50645c21fb802bf
                                                                                          • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                                          Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                            • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                                                            • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                            • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                            • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                            • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                                                            • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                            • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                          • String ID: [AltL]$[AltR]
                                                                                          • API String ID: 2738857842-2658077756
                                                                                          • Opcode ID: c0c7afa873da1f73a1fe5c81c8cf2f93ed3ee5fe4ba19fbc98e8737b6bcc32b1
                                                                                          • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                          • Opcode Fuzzy Hash: c0c7afa873da1f73a1fe5c81c8cf2f93ed3ee5fe4ba19fbc98e8737b6bcc32b1
                                                                                          • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                          Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 00448825
                                                                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFreeHeapLast_free
                                                                                          • String ID: `@$`@
                                                                                          • API String ID: 1353095263-20545824
                                                                                          • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                          • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                          • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                          • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                          Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: State
                                                                                          • String ID: [CtrlL]$[CtrlR]
                                                                                          • API String ID: 1649606143-2446555240
                                                                                          • Opcode ID: 017dd08ea117ef9949e136069607eb1ceb0e9bbc0bd8767c02a12888e350b825
                                                                                          • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                          • Opcode Fuzzy Hash: 017dd08ea117ef9949e136069607eb1ceb0e9bbc0bd8767c02a12888e350b825
                                                                                          • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                          Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,@N,?,pth_unenc), ref: 00412988
                                                                                          • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                                          Strings
                                                                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteOpenValue
                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                          • API String ID: 2654517830-1051519024
                                                                                          • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                          • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                          • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                          • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                          Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteDirectoryFileRemove
                                                                                          • String ID: pth_unenc
                                                                                          • API String ID: 3325800564-4028850238
                                                                                          • Opcode ID: 4546e6e0ba58337ae7336522498a141f2916029a30d3b6ad4aab1b42fa748339
                                                                                          • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                          • Opcode Fuzzy Hash: 4546e6e0ba58337ae7336522498a141f2916029a30d3b6ad4aab1b42fa748339
                                                                                          • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                          Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                          • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ObjectProcessSingleTerminateWait
                                                                                          • String ID: pth_unenc
                                                                                          • API String ID: 1872346434-4028850238
                                                                                          • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                          • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                          • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                          • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                          Function 0041ACA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountInfoInputLastTick
                                                                                          • String ID: >G
                                                                                          • API String ID: 3478931382-1296849874
                                                                                          • Opcode ID: 1111c95a6731b81c7f960cf0461dbe35cffbdc62c157a0c369b4dce9d438a623
                                                                                          • Instruction ID: 0f25e8e52f9a29d92835049ed671f456ff59a02a7b46a548dc943f175ac88346
                                                                                          • Opcode Fuzzy Hash: 1111c95a6731b81c7f960cf0461dbe35cffbdc62c157a0c369b4dce9d438a623
                                                                                          • Instruction Fuzzy Hash: FCD0127040020DBFCB00DFE4EC4D98DBFFCEB00349F104168A005A2111DB70E6448B24
                                                                                          Function 10007103 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4486322467.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4486310127.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4486322467.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_10000000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: CommandLine
                                                                                          • String ID: 8(M
                                                                                          • API String ID: 3253501508-2148138685
                                                                                          • Opcode ID: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
                                                                                          • Instruction ID: 64725d3052c2c9ae7bbd7e52e8b3a5750bb25634a918b02f39acb7dc5bcd530d
                                                                                          • Opcode Fuzzy Hash: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
                                                                                          • Instruction Fuzzy Hash: C0B00278C012209FE744AF7499DC2487FB0B758752B90D8AFD51AD2764D635C047EF20
                                                                                          Function 0044E0EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CommandLine
                                                                                          • String ID: 8(M
                                                                                          • API String ID: 3253501508-2148138685
                                                                                          • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                                                          • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                                                                                          • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                                                          • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                                                                                          Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                          • GetLastError.KERNEL32 ref: 0043FB02
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.4485574433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.4485561919.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485603210.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485620383.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.4485645103.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 1717984340-0
                                                                                          • Opcode ID: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                                                                          • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                          • Opcode Fuzzy Hash: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                                                                          • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759

                                                                                          Execution Graph

                                                                                          Execution Coverage:6.5%
                                                                                          Dynamic/Decrypted Code Coverage:9.2%
                                                                                          Signature Coverage:1.3%
                                                                                          Total number of Nodes:2000
                                                                                          Total number of Limit Nodes:83
                                                                                          execution_graph 37630 415321 realloc 37631 41534d 37630->37631 37632 415340 37630->37632 37634 416760 11 API calls 37631->37634 37634->37632 37635 44dea5 37636 44deb5 FreeLibrary 37635->37636 37637 44dec3 37635->37637 37636->37637 37638 4287c1 37639 4287d2 37638->37639 37642 429ac1 37638->37642 37643 428818 37639->37643 37644 42881f 37639->37644 37653 425711 37639->37653 37640 4259da 37701 416760 11 API calls 37640->37701 37672 425ad6 37642->37672 37708 415c56 11 API calls 37642->37708 37675 42013a 37643->37675 37703 420244 97 API calls 37644->37703 37646 4260dd 37702 424251 120 API calls 37646->37702 37649 4259c2 37649->37672 37695 415c56 11 API calls 37649->37695 37653->37640 37653->37642 37653->37649 37656 429a4d 37653->37656 37659 422aeb memset memcpy memcpy 37653->37659 37663 4260a1 37653->37663 37671 425a38 37653->37671 37691 4227f0 memset memcpy 37653->37691 37692 422b84 15 API calls 37653->37692 37693 422b5d memset memcpy memcpy 37653->37693 37694 422640 13 API calls 37653->37694 37696 4241fc 11 API calls 37653->37696 37697 42413a 90 API calls 37653->37697 37657 429a66 37656->37657 37658 429a9b 37656->37658 37704 415c56 11 API calls 37657->37704 37662 429a96 37658->37662 37706 416760 11 API calls 37658->37706 37659->37653 37707 424251 120 API calls 37662->37707 37700 415c56 11 API calls 37663->37700 37665 429a7a 37705 416760 11 API calls 37665->37705 37671->37649 37698 422640 13 API calls 37671->37698 37699 4226e0 12 API calls 37671->37699 37676 42014c 37675->37676 37679 420151 37675->37679 37718 41e466 97 API calls 37676->37718 37678 420162 37678->37653 37679->37678 37680 4201b3 37679->37680 37681 420229 37679->37681 37682 4201b8 37680->37682 37683 4201dc 37680->37683 37681->37678 37684 41fd5e 86 API calls 37681->37684 37709 41fbdb 37682->37709 37683->37678 37687 4201ff 37683->37687 37715 41fc4c 37683->37715 37684->37678 37687->37678 37690 42013a 97 API calls 37687->37690 37690->37678 37691->37653 37692->37653 37693->37653 37694->37653 37695->37640 37696->37653 37697->37653 37698->37671 37699->37671 37700->37640 37701->37646 37702->37672 37703->37653 37704->37665 37705->37662 37706->37662 37707->37642 37708->37640 37710 41fbf1 37709->37710 37711 41fbf8 37709->37711 37714 41fc39 37710->37714 37733 4446ce 11 API calls 37710->37733 37723 41ee26 37711->37723 37714->37678 37719 41fd5e 37714->37719 37716 41ee6b 86 API calls 37715->37716 37717 41fc5d 37716->37717 37717->37683 37718->37679 37720 41fd65 37719->37720 37721 41fdab 37720->37721 37722 41fbdb 86 API calls 37720->37722 37721->37678 37722->37720 37724 41ee41 37723->37724 37725 41ee32 37723->37725 37734 41edad 37724->37734 37737 4446ce 11 API calls 37725->37737 37728 41ee3c 37728->37710 37731 41ee58 37731->37728 37739 41ee6b 37731->37739 37733->37714 37743 41be52 37734->37743 37737->37728 37738 41eb85 11 API calls 37738->37731 37740 41ee70 37739->37740 37741 41ee78 37739->37741 37796 41bf99 86 API calls 37740->37796 37741->37728 37744 41be6f 37743->37744 37745 41be5f 37743->37745 37750 41be8c 37744->37750 37775 418c63 memset memset 37744->37775 37774 4446ce 11 API calls 37745->37774 37747 41be69 37747->37728 37747->37738 37750->37747 37751 41bf3a 37750->37751 37753 41bed1 37750->37753 37755 41bee7 37750->37755 37778 4446ce 11 API calls 37751->37778 37754 41bef0 37753->37754 37757 41bee2 37753->37757 37754->37755 37756 41bf01 37754->37756 37755->37747 37779 41a453 86 API calls 37755->37779 37758 41bf24 memset 37756->37758 37760 41bf14 37756->37760 37776 418a6d memset memcpy memset 37756->37776 37764 41ac13 37757->37764 37758->37747 37777 41a223 memset memcpy memset 37760->37777 37763 41bf20 37763->37758 37765 41ac52 37764->37765 37766 41ac3f memset 37764->37766 37768 41ac6a 37765->37768 37780 41dc14 19 API calls 37765->37780 37771 41acd9 37766->37771 37769 41aca1 37768->37769 37781 41519d 37768->37781 37769->37771 37772 41acc0 memset 37769->37772 37773 41accd memcpy 37769->37773 37771->37755 37772->37771 37773->37771 37774->37747 37775->37750 37776->37760 37777->37763 37778->37755 37780->37768 37784 4175ed 37781->37784 37792 417570 SetFilePointer 37784->37792 37787 41760a ReadFile 37788 417637 37787->37788 37789 417627 GetLastError 37787->37789 37790 4151b3 37788->37790 37791 41763e memset 37788->37791 37789->37790 37790->37769 37791->37790 37793 41759c GetLastError 37792->37793 37795 4175b2 37792->37795 37794 4175a8 GetLastError 37793->37794 37793->37795 37794->37795 37795->37787 37795->37790 37796->37741 37797 417bc5 37798 417c61 37797->37798 37799 417bda 37797->37799 37799->37798 37800 417bf6 UnmapViewOfFile CloseHandle 37799->37800 37802 417c2c 37799->37802 37804 4175b7 37799->37804 37800->37799 37800->37800 37802->37799 37809 41851e 20 API calls 37802->37809 37805 4175d6 CloseHandle 37804->37805 37806 4175c8 37805->37806 37807 4175df 37805->37807 37806->37807 37808 4175ce Sleep 37806->37808 37807->37799 37808->37805 37809->37802 37810 4152c7 malloc 37811 4152ef 37810->37811 37813 4152e2 37810->37813 37814 416760 11 API calls 37811->37814 37814->37813 37815 415308 free 37816 41276d 37817 41277d 37816->37817 37859 4044a4 LoadLibraryW 37817->37859 37819 412785 37820 412789 37819->37820 37867 414b81 37819->37867 37823 4127c8 37873 412465 memset ??2@YAPAXI 37823->37873 37825 4127ea 37885 40ac21 37825->37885 37830 412813 37903 40dd07 memset 37830->37903 37831 412827 37908 40db69 memset 37831->37908 37834 412822 37929 4125b6 ??3@YAXPAX 37834->37929 37836 40ada2 _wcsicmp 37838 41283d 37836->37838 37838->37834 37841 412863 CoInitialize 37838->37841 37913 41268e 37838->37913 37933 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37841->37933 37844 41296f 37935 40b633 37844->37935 37846 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37851 412957 CoUninitialize 37846->37851 37856 4128ca 37846->37856 37851->37834 37852 4128d0 TranslateAcceleratorW 37853 412941 GetMessageW 37852->37853 37852->37856 37853->37851 37853->37852 37854 412909 IsDialogMessageW 37854->37853 37854->37856 37855 4128fd IsDialogMessageW 37855->37853 37855->37854 37856->37852 37856->37854 37856->37855 37857 41292b TranslateMessage DispatchMessageW 37856->37857 37858 41291f IsDialogMessageW 37856->37858 37857->37853 37858->37853 37858->37857 37860 4044f7 37859->37860 37861 4044cf GetProcAddress 37859->37861 37865 404507 MessageBoxW 37860->37865 37866 40451e 37860->37866 37862 4044e8 FreeLibrary 37861->37862 37863 4044df 37861->37863 37862->37860 37864 4044f3 37862->37864 37863->37862 37864->37860 37865->37819 37866->37819 37868 414b8a 37867->37868 37869 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37867->37869 37939 40a804 memset 37868->37939 37869->37823 37872 414b9e GetProcAddress 37872->37869 37874 4124e0 37873->37874 37875 412505 ??2@YAPAXI 37874->37875 37876 41251c 37875->37876 37881 412521 37875->37881 37961 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37876->37961 37950 444722 37881->37950 37884 41259b wcscpy 37884->37825 37966 40b1ab free free 37885->37966 37887 40ad76 37967 40aa04 37887->37967 37890 40a9ce malloc memcpy free free 37893 40ac5c 37890->37893 37891 40ad4b 37891->37887 37990 40a9ce 37891->37990 37893->37887 37893->37890 37893->37891 37894 40ace7 free 37893->37894 37970 40a8d0 37893->37970 37982 4099f4 37893->37982 37894->37893 37898 40a8d0 7 API calls 37898->37887 37899 40ada2 37900 40adc9 37899->37900 37901 40adaa 37899->37901 37900->37830 37900->37831 37901->37900 37902 40adb3 _wcsicmp 37901->37902 37902->37900 37902->37901 37995 40dce0 37903->37995 37905 40dd3a GetModuleHandleW 38000 40dba7 37905->38000 37909 40dce0 3 API calls 37908->37909 37910 40db99 37909->37910 38072 40dae1 37910->38072 38086 402f3a 37913->38086 37915 412766 37915->37834 37915->37841 37916 4126d3 _wcsicmp 37917 4126a8 37916->37917 37917->37915 37917->37916 37919 41270a 37917->37919 38120 4125f8 7 API calls 37917->38120 37919->37915 38089 411ac5 37919->38089 37930 4125da 37929->37930 37931 4125f0 37930->37931 37932 4125e6 DeleteObject 37930->37932 37934 40b1ab free free 37931->37934 37932->37931 37933->37846 37934->37844 37936 40b640 37935->37936 37937 40b639 free 37935->37937 37938 40b1ab free free 37936->37938 37937->37936 37938->37820 37940 40a83b GetSystemDirectoryW 37939->37940 37941 40a84c wcscpy 37939->37941 37940->37941 37946 409719 wcslen 37941->37946 37944 40a881 LoadLibraryW 37945 40a886 37944->37945 37945->37869 37945->37872 37947 409724 37946->37947 37948 409739 wcscat LoadLibraryW 37946->37948 37947->37948 37949 40972c wcscat 37947->37949 37948->37944 37948->37945 37949->37948 37951 444732 37950->37951 37952 444728 DeleteObject 37950->37952 37962 409cc3 37951->37962 37952->37951 37954 412551 37955 4010f9 37954->37955 37956 401130 37955->37956 37957 401134 GetModuleHandleW LoadIconW 37956->37957 37958 401107 wcsncat 37956->37958 37959 40a7be 37957->37959 37958->37956 37960 40a7d2 37959->37960 37960->37884 37960->37960 37961->37881 37965 409bfd memset wcscpy 37962->37965 37964 409cdb CreateFontIndirectW 37964->37954 37965->37964 37966->37893 37968 40aa14 37967->37968 37969 40aa0a free 37967->37969 37968->37899 37969->37968 37971 40a8eb 37970->37971 37972 40a8df wcslen 37970->37972 37973 40a906 free 37971->37973 37974 40a90f 37971->37974 37972->37971 37975 40a919 37973->37975 37976 4099f4 3 API calls 37974->37976 37977 40a932 37975->37977 37978 40a929 free 37975->37978 37976->37975 37980 4099f4 3 API calls 37977->37980 37979 40a93e memcpy 37978->37979 37979->37893 37981 40a93d 37980->37981 37981->37979 37983 409a41 37982->37983 37984 4099fb malloc 37982->37984 37983->37893 37986 409a37 37984->37986 37987 409a1c 37984->37987 37986->37893 37988 409a30 free 37987->37988 37989 409a20 memcpy 37987->37989 37988->37986 37989->37988 37991 40a9e7 37990->37991 37992 40a9dc free 37990->37992 37993 4099f4 3 API calls 37991->37993 37994 40a9f2 37992->37994 37993->37994 37994->37898 38019 409bca GetModuleFileNameW 37995->38019 37997 40dce6 wcsrchr 37998 40dcf5 37997->37998 37999 40dcf9 wcscat 37997->37999 37998->37999 37999->37905 38020 44db70 38000->38020 38004 40dbfd 38023 4447d9 38004->38023 38007 40dc34 wcscpy wcscpy 38049 40d6f5 38007->38049 38008 40dc1f wcscpy 38008->38007 38011 40d6f5 3 API calls 38012 40dc73 38011->38012 38013 40d6f5 3 API calls 38012->38013 38014 40dc89 38013->38014 38015 40d6f5 3 API calls 38014->38015 38016 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38015->38016 38055 40da80 38016->38055 38019->37997 38021 40dbb4 memset memset 38020->38021 38022 409bca GetModuleFileNameW 38021->38022 38022->38004 38024 4447f4 38023->38024 38025 40dc1b 38024->38025 38026 444807 ??2@YAPAXI 38024->38026 38025->38007 38025->38008 38027 44481f 38026->38027 38028 444873 _snwprintf 38027->38028 38029 4448ab wcscpy 38027->38029 38062 44474a 8 API calls 38028->38062 38031 4448bb 38029->38031 38063 44474a 8 API calls 38031->38063 38032 4448a7 38032->38029 38032->38031 38034 4448cd 38064 44474a 8 API calls 38034->38064 38036 4448e2 38065 44474a 8 API calls 38036->38065 38038 4448f7 38066 44474a 8 API calls 38038->38066 38040 44490c 38067 44474a 8 API calls 38040->38067 38042 444921 38068 44474a 8 API calls 38042->38068 38044 444936 38069 44474a 8 API calls 38044->38069 38046 44494b 38070 44474a 8 API calls 38046->38070 38048 444960 ??3@YAXPAX 38048->38025 38050 44db70 38049->38050 38051 40d702 memset GetPrivateProfileStringW 38050->38051 38052 40d752 38051->38052 38053 40d75c WritePrivateProfileStringW 38051->38053 38052->38053 38054 40d758 38052->38054 38053->38054 38054->38011 38056 44db70 38055->38056 38057 40da8d memset 38056->38057 38058 40daac LoadStringW 38057->38058 38061 40dac6 38058->38061 38060 40dade 38060->37834 38061->38058 38061->38060 38071 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38061->38071 38062->38032 38063->38034 38064->38036 38065->38038 38066->38040 38067->38042 38068->38044 38069->38046 38070->38048 38071->38061 38082 409b98 GetFileAttributesW 38072->38082 38074 40daea 38075 40daef wcscpy wcscpy GetPrivateProfileIntW 38074->38075 38081 40db63 38074->38081 38083 40d65d GetPrivateProfileStringW 38075->38083 38077 40db3e 38084 40d65d GetPrivateProfileStringW 38077->38084 38079 40db4f 38085 40d65d GetPrivateProfileStringW 38079->38085 38081->37836 38082->38074 38083->38077 38084->38079 38085->38081 38121 40eaff 38086->38121 38090 411ae2 memset 38089->38090 38091 411b8f 38089->38091 38161 409bca GetModuleFileNameW 38090->38161 38103 411a8b 38091->38103 38093 411b0a wcsrchr 38094 411b22 wcscat 38093->38094 38095 411b1f 38093->38095 38162 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38094->38162 38095->38094 38097 411b67 38163 402afb 38097->38163 38101 411b7f 38219 40ea13 SendMessageW memset SendMessageW 38101->38219 38104 402afb 27 API calls 38103->38104 38105 411ac0 38104->38105 38106 4110dc 38105->38106 38107 41113e 38106->38107 38112 4110f0 38106->38112 38244 40969c LoadCursorW SetCursor 38107->38244 38109 411143 38245 4032b4 38109->38245 38263 444a54 38109->38263 38110 4110f7 _wcsicmp 38110->38112 38111 411157 38113 40ada2 _wcsicmp 38111->38113 38112->38107 38112->38110 38266 410c46 10 API calls 38112->38266 38116 411167 38113->38116 38114 4111af 38116->38114 38117 4111a6 qsort 38116->38117 38117->38114 38120->37917 38122 40eb10 38121->38122 38134 40e8e0 38122->38134 38125 40eb6c memcpy memcpy 38126 40ebb7 38125->38126 38126->38125 38127 40ebf2 ??2@YAPAXI ??2@YAPAXI 38126->38127 38129 40d134 16 API calls 38126->38129 38128 40ec65 38127->38128 38130 40ec2e ??2@YAPAXI 38127->38130 38144 40ea7f 38128->38144 38129->38126 38130->38128 38133 402f49 38133->37917 38135 40e8f2 38134->38135 38136 40e8eb ??3@YAXPAX 38134->38136 38137 40e900 38135->38137 38138 40e8f9 ??3@YAXPAX 38135->38138 38136->38135 38139 40e911 38137->38139 38140 40e90a ??3@YAXPAX 38137->38140 38138->38137 38141 40e931 ??2@YAPAXI ??2@YAPAXI 38139->38141 38142 40e921 ??3@YAXPAX 38139->38142 38143 40e92a ??3@YAXPAX 38139->38143 38140->38139 38141->38125 38142->38143 38143->38141 38145 40aa04 free 38144->38145 38146 40ea88 38145->38146 38147 40aa04 free 38146->38147 38148 40ea90 38147->38148 38149 40aa04 free 38148->38149 38150 40ea98 38149->38150 38151 40aa04 free 38150->38151 38152 40eaa0 38151->38152 38153 40a9ce 4 API calls 38152->38153 38154 40eab3 38153->38154 38155 40a9ce 4 API calls 38154->38155 38156 40eabd 38155->38156 38157 40a9ce 4 API calls 38156->38157 38158 40eac7 38157->38158 38159 40a9ce 4 API calls 38158->38159 38160 40ead1 38159->38160 38160->38133 38161->38093 38162->38097 38220 40b2cc 38163->38220 38165 402b0a 38166 40b2cc 27 API calls 38165->38166 38167 402b23 38166->38167 38168 40b2cc 27 API calls 38167->38168 38169 402b3a 38168->38169 38170 40b2cc 27 API calls 38169->38170 38171 402b54 38170->38171 38172 40b2cc 27 API calls 38171->38172 38173 402b6b 38172->38173 38174 40b2cc 27 API calls 38173->38174 38175 402b82 38174->38175 38176 40b2cc 27 API calls 38175->38176 38177 402b99 38176->38177 38178 40b2cc 27 API calls 38177->38178 38179 402bb0 38178->38179 38180 40b2cc 27 API calls 38179->38180 38181 402bc7 38180->38181 38182 40b2cc 27 API calls 38181->38182 38183 402bde 38182->38183 38184 40b2cc 27 API calls 38183->38184 38185 402bf5 38184->38185 38186 40b2cc 27 API calls 38185->38186 38187 402c0c 38186->38187 38188 40b2cc 27 API calls 38187->38188 38189 402c23 38188->38189 38190 40b2cc 27 API calls 38189->38190 38191 402c3a 38190->38191 38192 40b2cc 27 API calls 38191->38192 38193 402c51 38192->38193 38194 40b2cc 27 API calls 38193->38194 38195 402c68 38194->38195 38196 40b2cc 27 API calls 38195->38196 38197 402c7f 38196->38197 38198 40b2cc 27 API calls 38197->38198 38199 402c99 38198->38199 38200 40b2cc 27 API calls 38199->38200 38201 402cb3 38200->38201 38202 40b2cc 27 API calls 38201->38202 38203 402cd5 38202->38203 38204 40b2cc 27 API calls 38203->38204 38205 402cf0 38204->38205 38206 40b2cc 27 API calls 38205->38206 38207 402d0b 38206->38207 38208 40b2cc 27 API calls 38207->38208 38209 402d26 38208->38209 38210 40b2cc 27 API calls 38209->38210 38211 402d3e 38210->38211 38212 40b2cc 27 API calls 38211->38212 38213 402d59 38212->38213 38214 40b2cc 27 API calls 38213->38214 38215 402d78 38214->38215 38216 40b2cc 27 API calls 38215->38216 38217 402d93 38216->38217 38218 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38217->38218 38218->38101 38219->38091 38223 40b58d 38220->38223 38222 40b2d1 38222->38165 38224 40b5a4 GetModuleHandleW FindResourceW 38223->38224 38225 40b62e 38223->38225 38226 40b5c2 LoadResource 38224->38226 38228 40b5e7 38224->38228 38225->38222 38227 40b5d0 SizeofResource LockResource 38226->38227 38226->38228 38227->38228 38228->38225 38236 40afcf 38228->38236 38230 40b608 memcpy 38239 40b4d3 memcpy 38230->38239 38232 40b61e 38240 40b3c1 18 API calls 38232->38240 38234 40b626 38241 40b04b 38234->38241 38237 40b04b ??3@YAXPAX 38236->38237 38238 40afd7 ??2@YAPAXI 38237->38238 38238->38230 38239->38232 38240->38234 38242 40b051 ??3@YAXPAX 38241->38242 38243 40b05f 38241->38243 38242->38243 38243->38225 38244->38109 38246 4032c4 38245->38246 38247 40b633 free 38246->38247 38248 403316 38247->38248 38267 44553b 38248->38267 38252 403480 38465 40368c 15 API calls 38252->38465 38254 403489 38255 40b633 free 38254->38255 38257 403495 38255->38257 38256 40333c 38256->38252 38258 4033a9 memset memcpy 38256->38258 38259 4033ec wcscmp 38256->38259 38463 4028e7 11 API calls 38256->38463 38464 40f508 6 API calls 38256->38464 38257->38111 38258->38256 38258->38259 38259->38256 38262 403421 _wcsicmp 38262->38256 38264 444a64 FreeLibrary 38263->38264 38265 444a83 38263->38265 38264->38265 38265->38111 38266->38112 38268 445548 38267->38268 38269 445599 38268->38269 38466 40c768 38268->38466 38270 4455a8 memset 38269->38270 38277 4457f2 38269->38277 38549 403988 38270->38549 38280 445854 38277->38280 38651 403e2d memset memset memset memset memset 38277->38651 38278 4455e5 38289 445672 38278->38289 38294 44560f 38278->38294 38279 4458bb memset memset 38282 414c2e 17 API calls 38279->38282 38333 4458aa 38280->38333 38674 403c9c memset memset memset memset memset 38280->38674 38285 4458f9 38282->38285 38284 44595e memset memset 38292 414c2e 17 API calls 38284->38292 38293 40b2cc 27 API calls 38285->38293 38287 44558c 38533 444b06 38287->38533 38288 44557a 38288->38287 38747 4136c0 CoTaskMemFree 38288->38747 38560 403fbe memset memset memset memset memset 38289->38560 38290 445a00 memset memset 38697 414c2e 38290->38697 38291 445b22 38297 445bca 38291->38297 38298 445b38 memset memset memset 38291->38298 38302 44599c 38292->38302 38304 445909 38293->38304 38306 4087b3 338 API calls 38294->38306 38296 445849 38763 40b1ab free free 38296->38763 38305 445c8b memset memset 38297->38305 38371 445cf0 38297->38371 38309 445bd4 38298->38309 38310 445b98 38298->38310 38303 40b2cc 27 API calls 38302->38303 38317 4459ac 38303->38317 38314 409d1f 6 API calls 38304->38314 38318 414c2e 17 API calls 38305->38318 38315 445621 38306->38315 38307 44589f 38764 40b1ab free free 38307->38764 38308 445585 38748 41366b FreeLibrary 38308->38748 38324 414c2e 17 API calls 38309->38324 38310->38309 38320 445ba2 38310->38320 38313 403335 38462 4452e5 45 API calls 38313->38462 38328 445919 38314->38328 38749 4454bf 20 API calls 38315->38749 38316 445823 38316->38296 38338 4087b3 338 API calls 38316->38338 38329 409d1f 6 API calls 38317->38329 38330 445cc9 38318->38330 38836 4099c6 wcslen 38320->38836 38321 4456b2 38751 40b1ab free free 38321->38751 38323 40b2cc 27 API calls 38334 445a4f 38323->38334 38325 445be2 38324->38325 38336 40b2cc 27 API calls 38325->38336 38326 445d3d 38356 40b2cc 27 API calls 38326->38356 38327 445d88 memset memset memset 38339 414c2e 17 API calls 38327->38339 38765 409b98 GetFileAttributesW 38328->38765 38340 4459bc 38329->38340 38341 409d1f 6 API calls 38330->38341 38331 445879 38331->38307 38352 4087b3 338 API calls 38331->38352 38333->38279 38357 44594a 38333->38357 38713 409d1f wcslen wcslen 38334->38713 38346 445bf3 38336->38346 38338->38316 38349 445dde 38339->38349 38832 409b98 GetFileAttributesW 38340->38832 38351 445ce1 38341->38351 38342 445bb3 38839 445403 memset 38342->38839 38343 445680 38343->38321 38583 4087b3 memset 38343->38583 38355 409d1f 6 API calls 38346->38355 38347 445928 38347->38357 38766 40b6ef 38347->38766 38358 40b2cc 27 API calls 38349->38358 38856 409b98 GetFileAttributesW 38351->38856 38352->38331 38354 40b2cc 27 API calls 38363 445a94 38354->38363 38365 445c07 38355->38365 38366 445d54 _wcsicmp 38356->38366 38357->38284 38370 4459ed 38357->38370 38369 445def 38358->38369 38359 4459cb 38359->38370 38379 40b6ef 253 API calls 38359->38379 38718 40ae18 38363->38718 38364 44566d 38364->38277 38634 413d4c 38364->38634 38375 445389 259 API calls 38365->38375 38376 445d71 38366->38376 38439 445d67 38366->38439 38368 445665 38750 40b1ab free free 38368->38750 38377 409d1f 6 API calls 38369->38377 38370->38290 38370->38291 38371->38313 38371->38326 38371->38327 38372 445389 259 API calls 38372->38297 38381 445c17 38375->38381 38857 445093 23 API calls 38376->38857 38384 445e03 38377->38384 38379->38370 38380 4456d8 38386 40b2cc 27 API calls 38380->38386 38387 40b2cc 27 API calls 38381->38387 38383 44563c 38383->38368 38389 4087b3 338 API calls 38383->38389 38858 409b98 GetFileAttributesW 38384->38858 38385 40b6ef 253 API calls 38385->38313 38391 4456e2 38386->38391 38392 445c23 38387->38392 38388 445d83 38388->38313 38389->38383 38752 413fa6 _wcsicmp _wcsicmp 38391->38752 38396 409d1f 6 API calls 38392->38396 38394 445e12 38401 445e6b 38394->38401 38408 40b2cc 27 API calls 38394->38408 38399 445c37 38396->38399 38397 445aa1 38400 445b17 38397->38400 38415 445ab2 memset 38397->38415 38428 409d1f 6 API calls 38397->38428 38725 40add4 38397->38725 38730 445389 38397->38730 38739 40ae51 38397->38739 38398 4456eb 38404 4456fd memset memset memset memset 38398->38404 38405 4457ea 38398->38405 38406 445389 259 API calls 38399->38406 38833 40aebe 38400->38833 38860 445093 23 API calls 38401->38860 38753 409c70 wcscpy wcsrchr 38404->38753 38756 413d29 38405->38756 38411 445c47 38406->38411 38412 445e33 38408->38412 38409 445e7e 38414 445f67 38409->38414 38417 40b2cc 27 API calls 38411->38417 38418 409d1f 6 API calls 38412->38418 38423 40b2cc 27 API calls 38414->38423 38419 40b2cc 27 API calls 38415->38419 38421 445c53 38417->38421 38422 445e47 38418->38422 38419->38397 38420 409c70 2 API calls 38424 44577e 38420->38424 38425 409d1f 6 API calls 38421->38425 38859 409b98 GetFileAttributesW 38422->38859 38427 445f73 38423->38427 38429 409c70 2 API calls 38424->38429 38430 445c67 38425->38430 38432 409d1f 6 API calls 38427->38432 38428->38397 38433 44578d 38429->38433 38434 445389 259 API calls 38430->38434 38431 445e56 38431->38401 38437 445e83 memset 38431->38437 38435 445f87 38432->38435 38433->38405 38441 40b2cc 27 API calls 38433->38441 38434->38297 38863 409b98 GetFileAttributesW 38435->38863 38440 40b2cc 27 API calls 38437->38440 38439->38313 38439->38385 38442 445eab 38440->38442 38443 4457a8 38441->38443 38444 409d1f 6 API calls 38442->38444 38445 409d1f 6 API calls 38443->38445 38446 445ebf 38444->38446 38447 4457b8 38445->38447 38448 40ae18 9 API calls 38446->38448 38755 409b98 GetFileAttributesW 38447->38755 38458 445ef5 38448->38458 38450 4457c7 38450->38405 38452 4087b3 338 API calls 38450->38452 38451 40ae51 9 API calls 38451->38458 38452->38405 38453 445f5c 38455 40aebe FindClose 38453->38455 38454 40add4 2 API calls 38454->38458 38455->38414 38456 40b2cc 27 API calls 38456->38458 38457 409d1f 6 API calls 38457->38458 38458->38451 38458->38453 38458->38454 38458->38456 38458->38457 38460 445f3a 38458->38460 38861 409b98 GetFileAttributesW 38458->38861 38862 445093 23 API calls 38460->38862 38462->38256 38463->38262 38464->38256 38465->38254 38467 40c775 38466->38467 38864 40b1ab free free 38467->38864 38469 40c788 38865 40b1ab free free 38469->38865 38471 40c790 38866 40b1ab free free 38471->38866 38473 40c798 38474 40aa04 free 38473->38474 38475 40c7a0 38474->38475 38867 40c274 memset 38475->38867 38480 40a8ab 9 API calls 38481 40c7c3 38480->38481 38482 40a8ab 9 API calls 38481->38482 38483 40c7d0 38482->38483 38896 40c3c3 38483->38896 38487 40c877 38496 40bdb0 38487->38496 38488 40c86c 38938 4053fe 39 API calls 38488->38938 38494 40c7e5 38494->38487 38494->38488 38495 40c634 50 API calls 38494->38495 38921 40a706 38494->38921 38495->38494 39201 404363 38496->39201 38499 40bf5d 39221 40440c 38499->39221 38500 40bdee 38500->38499 38504 40b2cc 27 API calls 38500->38504 38501 40bddf CredEnumerateW 38501->38500 38505 40be02 wcslen 38504->38505 38505->38499 38510 40be1e 38505->38510 38506 40be26 wcsncmp 38506->38510 38509 40be7d memset 38509->38510 38511 40bea7 memcpy 38509->38511 38510->38499 38510->38506 38510->38509 38510->38511 38512 40bf11 wcschr 38510->38512 38513 40b2cc 27 API calls 38510->38513 38515 40bf43 LocalFree 38510->38515 39224 40bd5d 28 API calls 38510->39224 39225 404423 38510->39225 38511->38510 38511->38512 38512->38510 38514 40bef6 _wcsnicmp 38513->38514 38514->38510 38514->38512 38515->38510 38516 4135f7 39240 4135e0 38516->39240 38519 40b2cc 27 API calls 38520 41360d 38519->38520 38521 40a804 8 API calls 38520->38521 38522 413613 38521->38522 38523 41361b 38522->38523 38524 41363e 38522->38524 38525 40b273 27 API calls 38523->38525 38526 4135e0 FreeLibrary 38524->38526 38527 413625 GetProcAddress 38525->38527 38528 413643 38526->38528 38527->38524 38529 413648 38527->38529 38528->38288 38530 413658 38529->38530 38531 4135e0 FreeLibrary 38529->38531 38530->38288 38532 413666 38531->38532 38532->38288 39243 4449b9 38533->39243 38536 444c1f 38536->38269 38537 4449b9 42 API calls 38539 444b4b 38537->38539 38538 444c15 38541 4449b9 42 API calls 38538->38541 38539->38538 39264 444972 GetVersionExW 38539->39264 38541->38536 38542 444b99 memcmp 38547 444b8c 38542->38547 38543 444c0b 39268 444a85 42 API calls 38543->39268 38547->38542 38547->38543 39265 444aa5 42 API calls 38547->39265 39266 40a7a0 GetVersionExW 38547->39266 39267 444a85 42 API calls 38547->39267 38550 40399d 38549->38550 39269 403a16 38550->39269 38552 403a09 39283 40b1ab free free 38552->39283 38554 403a12 wcsrchr 38554->38278 38555 4039a3 38555->38552 38558 4039f4 38555->38558 39280 40a02c CreateFileW 38555->39280 38558->38552 38559 4099c6 2 API calls 38558->38559 38559->38552 38561 414c2e 17 API calls 38560->38561 38562 404048 38561->38562 38563 414c2e 17 API calls 38562->38563 38564 404056 38563->38564 38565 409d1f 6 API calls 38564->38565 38566 404073 38565->38566 38567 409d1f 6 API calls 38566->38567 38568 40408e 38567->38568 38569 409d1f 6 API calls 38568->38569 38570 4040a6 38569->38570 38571 403af5 20 API calls 38570->38571 38572 4040ba 38571->38572 38573 403af5 20 API calls 38572->38573 38574 4040cb 38573->38574 39310 40414f memset 38574->39310 38576 404140 39324 40b1ab free free 38576->39324 38577 4040ec memset 38581 4040e0 38577->38581 38579 404148 38579->38343 38580 4099c6 2 API calls 38580->38581 38581->38576 38581->38577 38581->38580 38582 40a8ab 9 API calls 38581->38582 38582->38581 39337 40a6e6 WideCharToMultiByte 38583->39337 38585 4087ed 39338 4095d9 memset 38585->39338 38588 408809 memset memset memset memset memset 38589 40b2cc 27 API calls 38588->38589 38590 4088a1 38589->38590 38591 409d1f 6 API calls 38590->38591 38592 4088b1 38591->38592 38593 40b2cc 27 API calls 38592->38593 38594 4088c0 38593->38594 38595 409d1f 6 API calls 38594->38595 38596 4088d0 38595->38596 38597 40b2cc 27 API calls 38596->38597 38598 4088df 38597->38598 38599 409d1f 6 API calls 38598->38599 38600 4088ef 38599->38600 38601 40b2cc 27 API calls 38600->38601 38602 4088fe 38601->38602 38603 409d1f 6 API calls 38602->38603 38604 40890e 38603->38604 38605 40b2cc 27 API calls 38604->38605 38606 40891d 38605->38606 38615 408953 38615->38343 38635 40b633 free 38634->38635 38636 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38635->38636 38637 413f00 Process32NextW 38636->38637 38638 413da5 OpenProcess 38637->38638 38639 413f17 CloseHandle 38637->38639 38640 413eb0 38638->38640 38641 413df3 memset 38638->38641 38639->38380 38640->38637 38643 413ebf free 38640->38643 38644 4099f4 3 API calls 38640->38644 39781 413f27 38641->39781 38643->38640 38644->38640 38645 413e1f 38646 413e37 GetModuleHandleW 38645->38646 39786 413959 38645->39786 39802 413ca4 38645->39802 38646->38645 38648 413e46 GetProcAddress 38646->38648 38648->38645 38650 413ea2 CloseHandle 38650->38640 38652 414c2e 17 API calls 38651->38652 38653 403eb7 38652->38653 38654 414c2e 17 API calls 38653->38654 38655 403ec5 38654->38655 38656 409d1f 6 API calls 38655->38656 38657 403ee2 38656->38657 38658 409d1f 6 API calls 38657->38658 38659 403efd 38658->38659 38660 409d1f 6 API calls 38659->38660 38661 403f15 38660->38661 38662 403af5 20 API calls 38661->38662 38663 403f29 38662->38663 38664 403af5 20 API calls 38663->38664 38665 403f3a 38664->38665 38666 40414f 33 API calls 38665->38666 38672 403f4f 38666->38672 38667 403faf 39816 40b1ab free free 38667->39816 38669 403f5b memset 38669->38672 38670 403fb7 38670->38316 38671 4099c6 2 API calls 38671->38672 38672->38667 38672->38669 38672->38671 38673 40a8ab 9 API calls 38672->38673 38673->38672 38675 414c2e 17 API calls 38674->38675 38676 403d26 38675->38676 38677 414c2e 17 API calls 38676->38677 38678 403d34 38677->38678 38679 409d1f 6 API calls 38678->38679 38680 403d51 38679->38680 38681 409d1f 6 API calls 38680->38681 38682 403d6c 38681->38682 38683 409d1f 6 API calls 38682->38683 38684 403d84 38683->38684 38685 403af5 20 API calls 38684->38685 38686 403d98 38685->38686 38687 403af5 20 API calls 38686->38687 38688 403da9 38687->38688 38689 40414f 33 API calls 38688->38689 38690 403dbe 38689->38690 38691 403e1e 38690->38691 38693 403dca memset 38690->38693 38695 4099c6 2 API calls 38690->38695 38696 40a8ab 9 API calls 38690->38696 39817 40b1ab free free 38691->39817 38693->38690 38694 403e26 38694->38331 38695->38690 38696->38690 38698 414b81 9 API calls 38697->38698 38699 414c40 38698->38699 38700 414c73 memset 38699->38700 39818 409cea 38699->39818 38702 414c94 38700->38702 39821 414592 RegOpenKeyExW 38702->39821 38705 414c64 SHGetSpecialFolderPathW 38707 414d0b 38705->38707 38706 414cc1 38708 414cf4 wcscpy 38706->38708 39822 414bb0 wcscpy 38706->39822 38707->38323 38708->38707 38710 414cd2 39823 4145ac RegQueryValueExW 38710->39823 38712 414ce9 RegCloseKey 38712->38708 38714 409d62 38713->38714 38715 409d43 wcscpy 38713->38715 38714->38354 38716 409719 2 API calls 38715->38716 38717 409d51 wcscat 38716->38717 38717->38714 38719 40aebe FindClose 38718->38719 38720 40ae21 38719->38720 38721 4099c6 2 API calls 38720->38721 38722 40ae35 38721->38722 38723 409d1f 6 API calls 38722->38723 38724 40ae49 38723->38724 38724->38397 38726 40ade0 38725->38726 38729 40ae0f 38725->38729 38727 40ade7 wcscmp 38726->38727 38726->38729 38728 40adfe wcscmp 38727->38728 38727->38729 38728->38729 38729->38397 38731 40ae18 9 API calls 38730->38731 38732 4453c4 38731->38732 38733 40ae51 9 API calls 38732->38733 38734 4453f3 38732->38734 38735 40add4 2 API calls 38732->38735 38738 445403 254 API calls 38732->38738 38733->38732 38736 40aebe FindClose 38734->38736 38735->38732 38737 4453fe 38736->38737 38737->38397 38738->38732 38740 40ae7b FindNextFileW 38739->38740 38741 40ae5c FindFirstFileW 38739->38741 38742 40ae94 38740->38742 38743 40ae8f 38740->38743 38741->38742 38745 40aeb6 38742->38745 38746 409d1f 6 API calls 38742->38746 38744 40aebe FindClose 38743->38744 38744->38742 38745->38397 38746->38745 38747->38308 38748->38287 38749->38383 38750->38364 38751->38364 38752->38398 38754 409c89 38753->38754 38754->38420 38755->38450 38757 413d39 38756->38757 38758 413d2f FreeLibrary 38756->38758 38759 40b633 free 38757->38759 38758->38757 38760 413d42 38759->38760 38761 40b633 free 38760->38761 38762 413d4a 38761->38762 38762->38277 38763->38280 38764->38333 38765->38347 38767 44db70 38766->38767 38768 40b6fc memset 38767->38768 38769 409c70 2 API calls 38768->38769 38770 40b732 wcsrchr 38769->38770 38771 40b743 38770->38771 38772 40b746 memset 38770->38772 38771->38772 38773 40b2cc 27 API calls 38772->38773 38774 40b76f 38773->38774 38775 409d1f 6 API calls 38774->38775 38776 40b783 38775->38776 39824 409b98 GetFileAttributesW 38776->39824 38778 40b792 38779 40b7c2 38778->38779 38780 409c70 2 API calls 38778->38780 39825 40bb98 38779->39825 38782 40b7a5 38780->38782 38784 40b2cc 27 API calls 38782->38784 38788 40b7b2 38784->38788 38785 40b837 CloseHandle 38787 40b83e memset 38785->38787 38786 40b817 38789 409a45 3 API calls 38786->38789 39858 40a6e6 WideCharToMultiByte 38787->39858 38791 409d1f 6 API calls 38788->38791 38792 40b827 CopyFileW 38789->38792 38791->38779 38792->38787 38793 40b866 38794 444432 121 API calls 38793->38794 38795 40b879 38794->38795 38796 40bad5 38795->38796 38797 40b273 27 API calls 38795->38797 38798 40baeb 38796->38798 38799 40bade DeleteFileW 38796->38799 38800 40b89a 38797->38800 38801 40b04b ??3@YAXPAX 38798->38801 38799->38798 38802 438552 134 API calls 38800->38802 38803 40baf3 38801->38803 38804 40b8a4 38802->38804 38803->38357 38805 40bacd 38804->38805 38807 4251c4 137 API calls 38804->38807 38806 443d90 111 API calls 38805->38806 38806->38796 38830 40b8b8 38807->38830 38808 40bac6 39868 424f26 123 API calls 38808->39868 38809 40b8bd memset 39859 425413 17 API calls 38809->39859 38812 425413 17 API calls 38812->38830 38815 40a71b MultiByteToWideChar 38815->38830 38816 40a734 MultiByteToWideChar 38816->38830 38819 40b9b5 memcmp 38819->38830 38820 4099c6 2 API calls 38820->38830 38821 404423 38 API calls 38821->38830 38824 40bb3e memset memcpy 39869 40a734 MultiByteToWideChar 38824->39869 38825 4251c4 137 API calls 38825->38830 38827 40bb88 LocalFree 38827->38830 38830->38808 38830->38809 38830->38812 38830->38815 38830->38816 38830->38819 38830->38820 38830->38821 38830->38824 38830->38825 38831 40ba5f memcmp 38830->38831 39860 4253ef 16 API calls 38830->39860 39861 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38830->39861 39862 4253af 17 API calls 38830->39862 39863 4253cf 17 API calls 38830->39863 39864 447280 memset 38830->39864 39865 447960 memset memcpy memcpy memcpy 38830->39865 39866 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38830->39866 39867 447920 memcpy memcpy memcpy 38830->39867 38831->38830 38832->38359 38834 40aed1 38833->38834 38835 40aec7 FindClose 38833->38835 38834->38291 38835->38834 38837 4099d7 38836->38837 38838 4099da memcpy 38836->38838 38837->38838 38838->38342 38840 40b2cc 27 API calls 38839->38840 38841 44543f 38840->38841 38842 409d1f 6 API calls 38841->38842 38843 44544f 38842->38843 39957 409b98 GetFileAttributesW 38843->39957 38845 44545e 38846 445476 38845->38846 38847 40b6ef 253 API calls 38845->38847 38848 40b2cc 27 API calls 38846->38848 38847->38846 38849 445482 38848->38849 38850 409d1f 6 API calls 38849->38850 38851 445492 38850->38851 39958 409b98 GetFileAttributesW 38851->39958 38853 4454a1 38854 4454b9 38853->38854 38855 40b6ef 253 API calls 38853->38855 38854->38372 38855->38854 38856->38371 38857->38388 38858->38394 38859->38431 38860->38409 38861->38458 38862->38458 38863->38439 38864->38469 38865->38471 38866->38473 38868 414c2e 17 API calls 38867->38868 38869 40c2ae 38868->38869 38939 40c1d3 38869->38939 38874 40c3be 38891 40a8ab 38874->38891 38875 40afcf 2 API calls 38876 40c2fd FindFirstUrlCacheEntryW 38875->38876 38877 40c3b6 38876->38877 38878 40c31e wcschr 38876->38878 38879 40b04b ??3@YAXPAX 38877->38879 38880 40c331 38878->38880 38881 40c35e FindNextUrlCacheEntryW 38878->38881 38879->38874 38883 40a8ab 9 API calls 38880->38883 38881->38878 38882 40c373 GetLastError 38881->38882 38884 40c3ad FindCloseUrlCache 38882->38884 38885 40c37e 38882->38885 38886 40c33e wcschr 38883->38886 38884->38877 38887 40afcf 2 API calls 38885->38887 38886->38881 38888 40c34f 38886->38888 38889 40c391 FindNextUrlCacheEntryW 38887->38889 38890 40a8ab 9 API calls 38888->38890 38889->38878 38889->38884 38890->38881 39128 40a97a 38891->39128 38894 40a8cc 38894->38480 38895 40a8d0 7 API calls 38895->38894 39133 40b1ab free free 38896->39133 38898 40c3dd 38899 40b2cc 27 API calls 38898->38899 38900 40c3e7 38899->38900 39134 414592 RegOpenKeyExW 38900->39134 38902 40c3f4 38903 40c50e 38902->38903 38904 40c3ff 38902->38904 38918 405337 38903->38918 38905 40a9ce 4 API calls 38904->38905 38906 40c418 memset 38905->38906 39135 40aa1d 38906->39135 38909 40c471 38911 40c47a _wcsupr 38909->38911 38910 40c505 RegCloseKey 38910->38903 38912 40a8d0 7 API calls 38911->38912 38913 40c498 38912->38913 38914 40a8d0 7 API calls 38913->38914 38915 40c4ac memset 38914->38915 38916 40aa1d 38915->38916 38917 40c4e4 RegEnumValueW 38916->38917 38917->38910 38917->38911 39137 405220 38918->39137 38922 4099c6 2 API calls 38921->38922 38923 40a714 _wcslwr 38922->38923 38924 40c634 38923->38924 39194 405361 38924->39194 38927 40c65c wcslen 39197 4053b6 39 API calls 38927->39197 38928 40c71d wcslen 38928->38494 38930 40c677 38931 40c713 38930->38931 39198 40538b 39 API calls 38930->39198 39200 4053df 39 API calls 38931->39200 38934 40c6a5 38934->38931 38935 40c6a9 memset 38934->38935 38936 40c6d3 38935->38936 39199 40c589 44 API calls 38936->39199 38938->38487 38940 40ae18 9 API calls 38939->38940 38946 40c210 38940->38946 38941 40ae51 9 API calls 38941->38946 38942 40c264 38943 40aebe FindClose 38942->38943 38945 40c26f 38943->38945 38944 40add4 2 API calls 38944->38946 38951 40e5ed memset memset 38945->38951 38946->38941 38946->38942 38946->38944 38947 40c231 _wcsicmp 38946->38947 38948 40c1d3 35 API calls 38946->38948 38947->38946 38949 40c248 38947->38949 38948->38946 38964 40c084 22 API calls 38949->38964 38952 414c2e 17 API calls 38951->38952 38953 40e63f 38952->38953 38954 409d1f 6 API calls 38953->38954 38955 40e658 38954->38955 38965 409b98 GetFileAttributesW 38955->38965 38957 40e667 38958 40e680 38957->38958 38959 409d1f 6 API calls 38957->38959 38966 409b98 GetFileAttributesW 38958->38966 38959->38958 38961 40e68f 38962 40c2d8 38961->38962 38967 40e4b2 38961->38967 38962->38874 38962->38875 38964->38946 38965->38957 38966->38961 38988 40e01e 38967->38988 38969 40e593 38970 40e5b0 38969->38970 38971 40e59c DeleteFileW 38969->38971 38972 40b04b ??3@YAXPAX 38970->38972 38971->38970 38974 40e5bb 38972->38974 38973 40e521 38973->38969 39011 40e175 38973->39011 38976 40e5c4 CloseHandle 38974->38976 38977 40e5cc 38974->38977 38976->38977 38979 40b633 free 38977->38979 38978 40e573 38980 40e584 38978->38980 38981 40e57c CloseHandle 38978->38981 38982 40e5db 38979->38982 39054 40b1ab free free 38980->39054 38981->38980 38985 40b633 free 38982->38985 38984 40e540 38984->38978 39031 40e2ab 38984->39031 38986 40e5e3 38985->38986 38986->38962 39055 406214 38988->39055 38991 40e16b 38991->38973 38994 40afcf 2 API calls 38995 40e08d OpenProcess 38994->38995 38996 40e0a4 GetCurrentProcess DuplicateHandle 38995->38996 39000 40e152 38995->39000 38997 40e0d0 GetFileSize 38996->38997 38998 40e14a CloseHandle 38996->38998 39091 409a45 GetTempPathW 38997->39091 38998->39000 38999 40e160 39003 40b04b ??3@YAXPAX 38999->39003 39000->38999 39002 406214 22 API calls 39000->39002 39002->38999 39003->38991 39004 40e0ea 39094 4096dc CreateFileW 39004->39094 39006 40e0f1 CreateFileMappingW 39007 40e140 CloseHandle CloseHandle 39006->39007 39008 40e10b MapViewOfFile 39006->39008 39007->38998 39009 40e13b CloseHandle 39008->39009 39010 40e11f WriteFile UnmapViewOfFile 39008->39010 39009->39007 39010->39009 39012 40e18c 39011->39012 39095 406b90 39012->39095 39015 40e1a7 memset 39021 40e1e8 39015->39021 39016 40e299 39105 4069a3 39016->39105 39022 40e283 39021->39022 39023 40dd50 _wcsicmp 39021->39023 39029 40e244 _snwprintf 39021->39029 39112 406e8f 13 API calls 39021->39112 39113 40742e 8 API calls 39021->39113 39114 40aae3 wcslen wcslen _memicmp 39021->39114 39115 406b53 SetFilePointerEx ReadFile 39021->39115 39024 40e291 39022->39024 39025 40e288 free 39022->39025 39023->39021 39026 40aa04 free 39024->39026 39025->39024 39026->39016 39030 40a8d0 7 API calls 39029->39030 39030->39021 39032 40e2c2 39031->39032 39033 406b90 11 API calls 39032->39033 39039 40e2d3 39033->39039 39034 40e4a0 39035 4069a3 2 API calls 39034->39035 39037 40e4ab 39035->39037 39037->38984 39039->39034 39040 40e489 39039->39040 39043 40dd50 _wcsicmp 39039->39043 39049 40e3e0 memcpy 39039->39049 39050 40e3fb memcpy 39039->39050 39051 40e3b3 wcschr 39039->39051 39052 40e416 memcpy 39039->39052 39053 40e431 memcpy 39039->39053 39116 406e8f 13 API calls 39039->39116 39117 40dd50 _wcsicmp 39039->39117 39126 40742e 8 API calls 39039->39126 39127 406b53 SetFilePointerEx ReadFile 39039->39127 39041 40aa04 free 39040->39041 39042 40e491 39041->39042 39042->39034 39044 40e497 free 39042->39044 39043->39039 39044->39034 39046 40e376 memset 39118 40aa29 39046->39118 39049->39039 39050->39039 39051->39039 39052->39039 39053->39039 39054->38969 39056 406294 CloseHandle 39055->39056 39057 406224 39056->39057 39058 4096c3 CreateFileW 39057->39058 39059 40622d 39058->39059 39060 406281 GetLastError 39059->39060 39061 40a2ef ReadFile 39059->39061 39065 40625a 39060->39065 39062 406244 39061->39062 39062->39060 39063 40624b 39062->39063 39064 406777 19 API calls 39063->39064 39063->39065 39064->39065 39065->38991 39066 40dd85 memset 39065->39066 39067 409bca GetModuleFileNameW 39066->39067 39068 40ddbe CreateFileW 39067->39068 39071 40ddf1 39068->39071 39069 40afcf ??2@YAPAXI ??3@YAXPAX 39069->39071 39070 41352f 9 API calls 39070->39071 39071->39069 39071->39070 39072 40de0b NtQuerySystemInformation 39071->39072 39073 40de3b CloseHandle GetCurrentProcessId 39071->39073 39072->39071 39074 40de54 39073->39074 39075 413d4c 46 API calls 39074->39075 39083 40de88 39075->39083 39076 40e00c 39077 413d29 free FreeLibrary 39076->39077 39078 40e014 39077->39078 39078->38991 39078->38994 39079 40dea9 _wcsicmp 39080 40dee7 OpenProcess 39079->39080 39081 40debd _wcsicmp 39079->39081 39080->39083 39081->39080 39082 40ded0 _wcsicmp 39081->39082 39082->39080 39082->39083 39083->39076 39083->39079 39084 40dfef CloseHandle 39083->39084 39085 40df23 GetCurrentProcess DuplicateHandle 39083->39085 39088 40df8f CloseHandle 39083->39088 39089 40df78 39083->39089 39084->39083 39085->39083 39086 40df4c memset 39085->39086 39087 41352f 9 API calls 39086->39087 39087->39083 39088->39089 39089->39084 39089->39088 39090 40dfae _wcsicmp 39089->39090 39090->39083 39090->39089 39092 409a74 GetTempFileNameW 39091->39092 39093 409a66 GetWindowsDirectoryW 39091->39093 39092->39004 39093->39092 39094->39006 39096 406bd5 39095->39096 39097 406bad 39095->39097 39099 4066bf free malloc memcpy free free 39096->39099 39104 406c0f 39096->39104 39097->39096 39098 406bba _wcsicmp 39097->39098 39098->39096 39098->39097 39100 406be5 39099->39100 39101 40afcf ??2@YAPAXI ??3@YAXPAX 39100->39101 39100->39104 39102 406bff 39101->39102 39103 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39102->39103 39103->39104 39104->39015 39104->39016 39106 4069c4 ??3@YAXPAX 39105->39106 39107 4069af 39106->39107 39108 40b633 free 39107->39108 39109 4069ba 39108->39109 39110 40b04b ??3@YAXPAX 39109->39110 39111 4069c2 39110->39111 39111->38984 39112->39021 39113->39021 39114->39021 39115->39021 39116->39039 39117->39046 39119 40aa33 39118->39119 39120 40aa63 39118->39120 39121 40aa44 39119->39121 39122 40aa38 wcslen 39119->39122 39120->39039 39123 40a9ce malloc memcpy free free 39121->39123 39122->39121 39124 40aa4d 39123->39124 39124->39120 39125 40aa51 memcpy 39124->39125 39125->39120 39126->39039 39127->39039 39129 40a980 39128->39129 39130 40a8bb 39129->39130 39131 40a995 _wcsicmp 39129->39131 39132 40a99c wcscmp 39129->39132 39130->38894 39130->38895 39131->39129 39132->39129 39133->38898 39134->38902 39136 40aa23 RegEnumValueW 39135->39136 39136->38909 39136->38910 39138 405335 39137->39138 39139 40522a 39137->39139 39138->38494 39140 40b2cc 27 API calls 39139->39140 39141 405234 39140->39141 39142 40a804 8 API calls 39141->39142 39143 40523a 39142->39143 39182 40b273 39143->39182 39145 405248 _mbscpy _mbscat GetProcAddress 39146 40b273 27 API calls 39145->39146 39147 405279 39146->39147 39185 405211 GetProcAddress 39147->39185 39149 405282 39150 40b273 27 API calls 39149->39150 39151 40528f 39150->39151 39186 405211 GetProcAddress 39151->39186 39153 405298 39154 40b273 27 API calls 39153->39154 39155 4052a5 39154->39155 39187 405211 GetProcAddress 39155->39187 39157 4052ae 39158 40b273 27 API calls 39157->39158 39159 4052bb 39158->39159 39188 405211 GetProcAddress 39159->39188 39161 4052c4 39162 40b273 27 API calls 39161->39162 39163 4052d1 39162->39163 39189 405211 GetProcAddress 39163->39189 39165 4052da 39166 40b273 27 API calls 39165->39166 39167 4052e7 39166->39167 39190 405211 GetProcAddress 39167->39190 39169 4052f0 39170 40b273 27 API calls 39169->39170 39171 4052fd 39170->39171 39191 405211 GetProcAddress 39171->39191 39173 405306 39174 40b273 27 API calls 39173->39174 39175 405313 39174->39175 39192 405211 GetProcAddress 39175->39192 39177 40531c 39178 40b273 27 API calls 39177->39178 39183 40b58d 27 API calls 39182->39183 39184 40b18c 39183->39184 39184->39145 39185->39149 39186->39153 39187->39157 39188->39161 39189->39165 39190->39169 39191->39173 39192->39177 39195 405220 39 API calls 39194->39195 39196 405369 39195->39196 39196->38927 39196->38928 39197->38930 39198->38934 39199->38931 39200->38928 39202 40440c FreeLibrary 39201->39202 39203 40436d 39202->39203 39204 40a804 8 API calls 39203->39204 39205 404377 39204->39205 39206 404383 39205->39206 39207 404405 39205->39207 39208 40b273 27 API calls 39206->39208 39207->38499 39207->38500 39207->38501 39209 40438d GetProcAddress 39208->39209 39210 40b273 27 API calls 39209->39210 39211 4043a7 GetProcAddress 39210->39211 39212 40b273 27 API calls 39211->39212 39213 4043ba GetProcAddress 39212->39213 39214 40b273 27 API calls 39213->39214 39215 4043ce GetProcAddress 39214->39215 39216 40b273 27 API calls 39215->39216 39217 4043e2 GetProcAddress 39216->39217 39218 4043f1 39217->39218 39219 4043f7 39218->39219 39220 40440c FreeLibrary 39218->39220 39219->39207 39220->39207 39222 404413 FreeLibrary 39221->39222 39223 40441e 39221->39223 39222->39223 39223->38516 39224->38510 39226 40447e 39225->39226 39227 40442e 39225->39227 39228 404485 CryptUnprotectData 39226->39228 39229 40449c 39226->39229 39230 40b2cc 27 API calls 39227->39230 39228->39229 39229->38510 39231 404438 39230->39231 39232 40a804 8 API calls 39231->39232 39233 40443e 39232->39233 39234 404445 39233->39234 39235 404467 39233->39235 39236 40b273 27 API calls 39234->39236 39235->39226 39238 404475 FreeLibrary 39235->39238 39237 40444f GetProcAddress 39236->39237 39237->39235 39239 404460 39237->39239 39238->39226 39239->39235 39241 4135f6 39240->39241 39242 4135eb FreeLibrary 39240->39242 39241->38519 39242->39241 39244 4449c4 39243->39244 39245 444a52 39243->39245 39246 40b2cc 27 API calls 39244->39246 39245->38536 39245->38537 39247 4449cb 39246->39247 39248 40a804 8 API calls 39247->39248 39249 4449d1 39248->39249 39250 40b273 27 API calls 39249->39250 39251 4449dc GetProcAddress 39250->39251 39252 40b273 27 API calls 39251->39252 39253 4449f3 GetProcAddress 39252->39253 39254 40b273 27 API calls 39253->39254 39255 444a04 GetProcAddress 39254->39255 39256 40b273 27 API calls 39255->39256 39257 444a15 GetProcAddress 39256->39257 39258 40b273 27 API calls 39257->39258 39264->38547 39265->38547 39266->38547 39267->38547 39268->38538 39270 403a29 39269->39270 39284 403bed memset memset 39270->39284 39272 403ae7 39297 40b1ab free free 39272->39297 39274 403a3f memset 39278 403a2f 39274->39278 39275 403aef 39275->38555 39276 40a8d0 7 API calls 39276->39278 39277 409d1f 6 API calls 39277->39278 39278->39272 39278->39274 39278->39276 39278->39277 39279 409b98 GetFileAttributesW 39278->39279 39279->39278 39281 40a051 GetFileTime CloseHandle 39280->39281 39282 4039ca CompareFileTime 39280->39282 39281->39282 39282->38555 39283->38554 39285 414c2e 17 API calls 39284->39285 39286 403c38 39285->39286 39287 409719 2 API calls 39286->39287 39288 403c3f wcscat 39287->39288 39289 414c2e 17 API calls 39288->39289 39290 403c61 39289->39290 39291 409719 2 API calls 39290->39291 39292 403c68 wcscat 39291->39292 39298 403af5 39292->39298 39295 403af5 20 API calls 39296 403c95 39295->39296 39296->39278 39297->39275 39299 403b02 39298->39299 39300 40ae18 9 API calls 39299->39300 39308 403b37 39300->39308 39301 403bdb 39302 40aebe FindClose 39301->39302 39304 403be6 39302->39304 39303 40add4 wcscmp wcscmp 39303->39308 39304->39295 39305 40ae18 9 API calls 39305->39308 39306 40ae51 9 API calls 39306->39308 39307 40aebe FindClose 39307->39308 39308->39301 39308->39303 39308->39305 39308->39306 39308->39307 39309 40a8d0 7 API calls 39308->39309 39309->39308 39311 409d1f 6 API calls 39310->39311 39312 404190 39311->39312 39325 409b98 GetFileAttributesW 39312->39325 39314 40419c 39315 4041a7 6 API calls 39314->39315 39316 40435c 39314->39316 39318 40424f 39315->39318 39316->38581 39318->39316 39319 40425e memset 39318->39319 39321 409d1f 6 API calls 39318->39321 39322 40a8ab 9 API calls 39318->39322 39326 414842 39318->39326 39319->39318 39320 404296 wcscpy 39319->39320 39320->39318 39321->39318 39323 4042b6 memset memset _snwprintf wcscpy 39322->39323 39323->39318 39324->38579 39325->39314 39329 41443e 39326->39329 39328 414866 39328->39318 39330 41444b 39329->39330 39331 414451 39330->39331 39332 4144a3 GetPrivateProfileStringW 39330->39332 39333 414491 39331->39333 39334 414455 wcschr 39331->39334 39332->39328 39336 414495 WritePrivateProfileStringW 39333->39336 39334->39333 39335 414463 _snwprintf 39334->39335 39335->39336 39336->39328 39337->38585 39339 40b2cc 27 API calls 39338->39339 39340 409615 39339->39340 39341 409d1f 6 API calls 39340->39341 39342 409625 39341->39342 39367 409b98 GetFileAttributesW 39342->39367 39344 409634 39345 409648 39344->39345 39368 4091b8 memset 39344->39368 39347 40b2cc 27 API calls 39345->39347 39350 408801 39345->39350 39348 40965d 39347->39348 39349 409d1f 6 API calls 39348->39349 39351 40966d 39349->39351 39350->38588 39350->38615 39420 409b98 GetFileAttributesW 39351->39420 39353 40967c 39353->39350 39354 409681 39353->39354 39421 409529 72 API calls 39354->39421 39356 409690 39356->39350 39367->39344 39422 40a6e6 WideCharToMultiByte 39368->39422 39370 409202 39423 444432 39370->39423 39373 40b273 27 API calls 39374 409236 39373->39374 39469 438552 39374->39469 39377 409383 39379 40b273 27 API calls 39377->39379 39400 40951d 39400->39345 39420->39353 39421->39356 39422->39370 39519 4438b5 39423->39519 39425 44444c 39426 409215 39425->39426 39533 415a6d 39425->39533 39426->39373 39426->39400 39428 4442e6 11 API calls 39430 44469e 39428->39430 39429 444486 39431 4444b9 memcpy 39429->39431 39468 4444a4 39429->39468 39430->39426 39433 443d90 111 API calls 39430->39433 39537 415258 39431->39537 39433->39426 39434 444524 39435 444541 39434->39435 39436 44452a 39434->39436 39540 444316 39435->39540 39437 416935 16 API calls 39436->39437 39437->39468 39468->39428 39658 438460 39469->39658 39471 409240 39471->39377 39472 4251c4 39471->39472 39709 424f07 39472->39709 39520 4438d0 39519->39520 39530 4438c9 39519->39530 39607 415378 memcpy memcpy 39520->39607 39530->39425 39534 415a77 39533->39534 39535 415a8d 39534->39535 39536 415a7e memset 39534->39536 39535->39429 39536->39535 39538 4438b5 11 API calls 39537->39538 39539 41525d 39538->39539 39539->39434 39541 444328 39540->39541 39542 444423 39541->39542 39543 44434e 39541->39543 39608 4446ea 11 API calls 39542->39608 39544 432d4e 3 API calls 39543->39544 39546 44435a 39544->39546 39551 444381 39608->39551 39670 41703f 39658->39670 39660 43847a 39661 43848a 39660->39661 39662 43847e 39660->39662 39677 438270 39661->39677 39707 4446ea 11 API calls 39662->39707 39669 438488 39669->39471 39671 417044 39670->39671 39672 41705c 39670->39672 39674 416760 11 API calls 39671->39674 39676 417055 39671->39676 39673 417075 39672->39673 39675 41707a 11 API calls 39672->39675 39673->39660 39674->39676 39675->39671 39676->39660 39678 415a91 memset 39677->39678 39679 43828d 39678->39679 39680 438297 39679->39680 39681 438341 39679->39681 39683 4382d6 39679->39683 39682 415c7d 16 API calls 39680->39682 39684 44358f 19 API calls 39681->39684 39686 4382fb 39683->39686 39687 4382db 39683->39687 39707->39669 39808 413f4f 39781->39808 39784 413f37 K32GetModuleFileNameExW 39785 413f4a 39784->39785 39785->38645 39787 413969 wcscpy 39786->39787 39788 41396c wcschr 39786->39788 39791 413a3a 39787->39791 39788->39787 39790 41398e 39788->39790 39813 4097f7 wcslen wcslen _memicmp 39790->39813 39791->38645 39793 41399a 39794 4139a4 memset 39793->39794 39795 4139e6 39793->39795 39814 409dd5 GetWindowsDirectoryW wcscpy 39794->39814 39797 413a31 wcscpy 39795->39797 39798 4139ec memset 39795->39798 39797->39791 39815 409dd5 GetWindowsDirectoryW wcscpy 39798->39815 39799 4139c9 wcscpy wcscat 39799->39791 39801 413a11 memcpy wcscat 39801->39791 39803 413cb0 GetModuleHandleW 39802->39803 39804 413cda 39802->39804 39803->39804 39807 413cbf GetProcAddress 39803->39807 39805 413ce3 GetProcessTimes 39804->39805 39806 413cf6 39804->39806 39805->38650 39806->38650 39807->39804 39809 413f2f 39808->39809 39810 413f54 39808->39810 39809->39784 39809->39785 39811 40a804 8 API calls 39810->39811 39812 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39811->39812 39812->39809 39813->39793 39814->39799 39815->39801 39816->38670 39817->38694 39819 409cf9 GetVersionExW 39818->39819 39820 409d0a 39818->39820 39819->39820 39820->38700 39820->38705 39821->38706 39822->38710 39823->38712 39824->38778 39826 40bba5 39825->39826 39870 40cc26 39826->39870 39829 40bd4b 39898 40cc0c 39829->39898 39834 40b2cc 27 API calls 39835 40bbef 39834->39835 39891 40ccf0 39835->39891 39837 40bbf5 39837->39829 39895 40ccb4 39837->39895 39840 40cf04 17 API calls 39841 40bc2e 39840->39841 39842 40bd43 39841->39842 39843 40b2cc 27 API calls 39841->39843 39844 40cc0c 4 API calls 39842->39844 39845 40bc40 39843->39845 39844->39829 39846 40ccf0 _wcsicmp 39845->39846 39847 40bc46 39846->39847 39847->39842 39848 40bc61 memset memset WideCharToMultiByte 39847->39848 39905 40103c strlen 39848->39905 39850 40bcc0 39851 40b273 27 API calls 39850->39851 39852 40bcd0 memcmp 39851->39852 39852->39842 39853 40bce2 39852->39853 39854 404423 38 API calls 39853->39854 39855 40bd10 39854->39855 39855->39842 39856 40bd3a LocalFree 39855->39856 39857 40bd1f memcpy 39855->39857 39856->39842 39857->39856 39858->38793 39859->38830 39860->38830 39861->38830 39862->38830 39863->38830 39864->38830 39865->38830 39866->38830 39867->38830 39868->38805 39869->38827 39906 4096c3 CreateFileW 39870->39906 39872 40cc34 39873 40cc3d GetFileSize 39872->39873 39881 40bbca 39872->39881 39874 40afcf 2 API calls 39873->39874 39875 40cc64 39874->39875 39907 40a2ef ReadFile 39875->39907 39877 40cc71 39908 40ab4a MultiByteToWideChar 39877->39908 39879 40cc95 CloseHandle 39880 40b04b ??3@YAXPAX 39879->39880 39880->39881 39881->39829 39882 40cf04 39881->39882 39883 40b633 free 39882->39883 39884 40cf14 39883->39884 39914 40b1ab free free 39884->39914 39886 40cf1b 39887 40cfef 39886->39887 39890 40bbdd 39886->39890 39915 40cd4b 39886->39915 39889 40cd4b 14 API calls 39887->39889 39889->39890 39890->39829 39890->39834 39892 40ccfd 39891->39892 39894 40cd3f 39891->39894 39893 40cd26 _wcsicmp 39892->39893 39892->39894 39893->39892 39893->39894 39894->39837 39896 40aa29 6 API calls 39895->39896 39897 40bc26 39896->39897 39897->39840 39899 40b633 free 39898->39899 39900 40cc15 39899->39900 39901 40aa04 free 39900->39901 39902 40cc1d 39901->39902 39956 40b1ab free free 39902->39956 39904 40b7d4 memset CreateFileW 39904->38785 39904->38786 39905->39850 39906->39872 39907->39877 39909 40ab93 39908->39909 39910 40ab6b 39908->39910 39909->39879 39911 40a9ce 4 API calls 39910->39911 39912 40ab74 39911->39912 39913 40ab7c MultiByteToWideChar 39912->39913 39913->39909 39914->39886 39916 40cd7b 39915->39916 39917 40aa29 6 API calls 39916->39917 39921 40cd89 39917->39921 39918 40cef5 39919 40aa04 free 39918->39919 39920 40cefd 39919->39920 39920->39886 39921->39918 39922 40aa29 6 API calls 39921->39922 39923 40ce1d 39922->39923 39924 40aa29 6 API calls 39923->39924 39925 40ce3e 39924->39925 39926 40ce6a 39925->39926 39949 40abb7 wcslen memmove 39925->39949 39927 40ce9f 39926->39927 39952 40abb7 wcslen memmove 39926->39952 39930 40a8d0 7 API calls 39927->39930 39933 40ceb5 39930->39933 39931 40ce56 39950 40aa71 wcslen 39931->39950 39932 40ce8b 39953 40aa71 wcslen 39932->39953 39937 40a8d0 7 API calls 39933->39937 39936 40ce5e 39951 40abb7 wcslen memmove 39936->39951 39940 40cecb 39937->39940 39938 40ce93 39954 40abb7 wcslen memmove 39938->39954 39955 40d00b malloc memcpy free free 39940->39955 39943 40cedd 39944 40aa04 free 39943->39944 39945 40cee5 39944->39945 39946 40aa04 free 39945->39946 39947 40ceed 39946->39947 39948 40aa04 free 39947->39948 39948->39918 39949->39931 39950->39936 39951->39926 39952->39932 39953->39938 39954->39927 39955->39943 39956->39904 39957->38845 39958->38853 39959 427533 39963 427548 39959->39963 39972 425711 39959->39972 39960 4259da 40016 416760 11 API calls 39960->40016 39962 4275cb 39996 425506 39962->39996 39963->39962 39970 429b7a 39963->39970 39964 4260dd 40017 424251 120 API calls 39964->40017 39965 4259c2 39992 425ad6 39965->39992 40010 415c56 11 API calls 39965->40010 40022 4446ce 11 API calls 39970->40022 39972->39960 39972->39965 39975 429a4d 39972->39975 39978 422aeb memset memcpy memcpy 39972->39978 39982 4260a1 39972->39982 39988 429ac1 39972->39988 39995 425a38 39972->39995 40006 4227f0 memset memcpy 39972->40006 40007 422b84 15 API calls 39972->40007 40008 422b5d memset memcpy memcpy 39972->40008 40009 422640 13 API calls 39972->40009 40011 4241fc 11 API calls 39972->40011 40012 42413a 90 API calls 39972->40012 39976 429a66 39975->39976 39977 429a9b 39975->39977 40018 415c56 11 API calls 39976->40018 39981 429a96 39977->39981 40020 416760 11 API calls 39977->40020 39978->39972 40021 424251 120 API calls 39981->40021 40015 415c56 11 API calls 39982->40015 39984 429a7a 40019 416760 11 API calls 39984->40019 39988->39960 39988->39992 40023 415c56 11 API calls 39988->40023 39995->39965 40013 422640 13 API calls 39995->40013 40014 4226e0 12 API calls 39995->40014 39997 42554d 39996->39997 40000 425554 39996->40000 40024 423b34 103 API calls 39997->40024 40025 422586 12 API calls 40000->40025 40001 425567 40002 4255ba 40001->40002 40003 42556c memset 40001->40003 40002->39972 40004 425596 40003->40004 40004->40002 40005 4255a4 memset 40004->40005 40005->40002 40006->39972 40007->39972 40008->39972 40009->39972 40010->39960 40011->39972 40012->39972 40013->39995 40014->39995 40015->39960 40016->39964 40017->39992 40018->39984 40019->39981 40020->39981 40021->39988 40022->39988 40023->39960 40024->40000 40025->40001 40026 4147f3 40029 414561 40026->40029 40028 414813 40030 41456d 40029->40030 40031 41457f GetPrivateProfileIntW 40029->40031 40034 4143f1 memset _itow WritePrivateProfileStringW 40030->40034 40031->40028 40033 41457a 40033->40028 40034->40033 40035 44def7 40036 44df07 40035->40036 40037 44df00 ??3@YAXPAX 40035->40037 40038 44df17 40036->40038 40039 44df10 ??3@YAXPAX 40036->40039 40037->40036 40040 44df27 40038->40040 40041 44df20 ??3@YAXPAX 40038->40041 40039->40038 40042 44df37 40040->40042 40043 44df30 ??3@YAXPAX 40040->40043 40041->40040 40043->40042 40044 4148b6 FindResourceW 40045 4148cf SizeofResource 40044->40045 40048 4148f9 40044->40048 40046 4148e0 LoadResource 40045->40046 40045->40048 40047 4148ee LockResource 40046->40047 40046->40048 40047->40048 40049 441b3f 40059 43a9f6 40049->40059 40051 441b61 40232 4386af memset 40051->40232 40053 44189a 40054 442bd4 40053->40054 40055 4418e2 40053->40055 40056 4418ea 40054->40056 40234 441409 memset 40054->40234 40055->40056 40233 4414a9 12 API calls 40055->40233 40060 43aa20 40059->40060 40061 43aadf 40059->40061 40060->40061 40062 43aa34 memset 40060->40062 40061->40051 40063 43aa56 40062->40063 40064 43aa4d 40062->40064 40235 43a6e7 40063->40235 40243 42c02e memset 40064->40243 40069 43aad3 40245 4169a7 11 API calls 40069->40245 40070 43aaae 40070->40061 40070->40069 40085 43aae5 40070->40085 40072 43ac18 40074 43ac47 40072->40074 40247 42bbd5 memcpy memcpy memcpy memset memcpy 40072->40247 40075 43aca8 40074->40075 40248 438eed 16 API calls 40074->40248 40079 43acd5 40075->40079 40250 4233ae 11 API calls 40075->40250 40078 43ac87 40249 4233c5 16 API calls 40078->40249 40251 423426 11 API calls 40079->40251 40083 43ace1 40252 439811 163 API calls 40083->40252 40084 43a9f6 161 API calls 40084->40085 40085->40061 40085->40072 40085->40084 40246 439bbb 22 API calls 40085->40246 40087 43acfd 40093 43ad2c 40087->40093 40253 438eed 16 API calls 40087->40253 40089 43ad19 40254 4233c5 16 API calls 40089->40254 40091 43ad58 40255 44081d 163 API calls 40091->40255 40093->40091 40095 43add9 40093->40095 40095->40095 40259 423426 11 API calls 40095->40259 40096 43ae3a memset 40097 43ae73 40096->40097 40260 42e1c0 147 API calls 40097->40260 40098 43adab 40257 438c4e 163 API calls 40098->40257 40100 43ad6c 40100->40061 40100->40098 40256 42370b memset memcpy memset 40100->40256 40102 43ae96 40261 42e1c0 147 API calls 40102->40261 40104 43adcc 40258 440f84 12 API calls 40104->40258 40107 43aea8 40108 43aec1 40107->40108 40262 42e199 147 API calls 40107->40262 40110 43af00 40108->40110 40263 42e1c0 147 API calls 40108->40263 40110->40061 40113 43af1a 40110->40113 40114 43b3d9 40110->40114 40264 438eed 16 API calls 40113->40264 40119 43b3f6 40114->40119 40126 43b4c8 40114->40126 40116 43b60f 40116->40061 40323 4393a5 17 API calls 40116->40323 40117 43af2f 40265 4233c5 16 API calls 40117->40265 40305 432878 12 API calls 40119->40305 40121 43af51 40266 423426 11 API calls 40121->40266 40124 43af7d 40267 423426 11 API calls 40124->40267 40125 43b4f2 40312 43a76c 21 API calls 40125->40312 40126->40125 40311 42bbd5 memcpy memcpy memcpy memset memcpy 40126->40311 40130 43b529 40313 44081d 163 API calls 40130->40313 40131 43b428 40159 43b462 40131->40159 40306 432b60 16 API calls 40131->40306 40132 43af94 40268 423330 11 API calls 40132->40268 40136 43b47e 40139 43b497 40136->40139 40308 42374a memcpy memset memcpy memcpy memcpy 40136->40308 40137 43b544 40147 43b55c 40137->40147 40314 42c02e memset 40137->40314 40138 43afca 40269 423330 11 API calls 40138->40269 40309 4233ae 11 API calls 40139->40309 40144 43afdb 40270 4233ae 11 API calls 40144->40270 40146 43b4b1 40310 423399 11 API calls 40146->40310 40315 43a87a 163 API calls 40147->40315 40149 43b56c 40152 43b58a 40149->40152 40316 423330 11 API calls 40149->40316 40151 43afee 40271 44081d 163 API calls 40151->40271 40317 440f84 12 API calls 40152->40317 40154 43b4c1 40319 42db80 163 API calls 40154->40319 40158 43b592 40318 43a82f 16 API calls 40158->40318 40307 423330 11 API calls 40159->40307 40162 43b5b4 40320 438c4e 163 API calls 40162->40320 40164 43b5cf 40321 42c02e memset 40164->40321 40166 43b005 40166->40061 40171 43b01f 40166->40171 40272 42d836 163 API calls 40166->40272 40167 43b1ef 40282 4233c5 16 API calls 40167->40282 40169 43b212 40283 423330 11 API calls 40169->40283 40171->40167 40280 423330 11 API calls 40171->40280 40281 42d71d 163 API calls 40171->40281 40173 43add4 40173->40116 40322 438f86 16 API calls 40173->40322 40176 43b087 40273 4233ae 11 API calls 40176->40273 40177 43b22a 40284 42ccb5 11 API calls 40177->40284 40180 43b10f 40276 423330 11 API calls 40180->40276 40181 43b23f 40285 4233ae 11 API calls 40181->40285 40183 43b257 40286 4233ae 11 API calls 40183->40286 40187 43b129 40277 4233ae 11 API calls 40187->40277 40188 43b26e 40287 4233ae 11 API calls 40188->40287 40190 43b09a 40190->40180 40274 42cc15 19 API calls 40190->40274 40275 4233ae 11 API calls 40190->40275 40192 43b282 40288 43a87a 163 API calls 40192->40288 40194 43b13c 40278 440f84 12 API calls 40194->40278 40196 43b29d 40289 423330 11 API calls 40196->40289 40199 43b15f 40279 4233ae 11 API calls 40199->40279 40200 43b2af 40202 43b2b8 40200->40202 40203 43b2ce 40200->40203 40290 4233ae 11 API calls 40202->40290 40291 440f84 12 API calls 40203->40291 40206 43b2c9 40293 4233ae 11 API calls 40206->40293 40207 43b2da 40292 42370b memset memcpy memset 40207->40292 40210 43b2f9 40294 423330 11 API calls 40210->40294 40212 43b30b 40295 423330 11 API calls 40212->40295 40214 43b325 40296 423399 11 API calls 40214->40296 40216 43b332 40297 4233ae 11 API calls 40216->40297 40218 43b354 40298 423399 11 API calls 40218->40298 40220 43b364 40299 43a82f 16 API calls 40220->40299 40222 43b370 40300 42db80 163 API calls 40222->40300 40224 43b380 40301 438c4e 163 API calls 40224->40301 40226 43b39e 40302 423399 11 API calls 40226->40302 40228 43b3ae 40303 43a76c 21 API calls 40228->40303 40230 43b3c3 40304 423399 11 API calls 40230->40304 40232->40053 40233->40056 40234->40054 40236 43a6f5 40235->40236 40242 43a765 40235->40242 40236->40242 40324 42a115 40236->40324 40240 43a73d 40241 42a115 147 API calls 40240->40241 40240->40242 40241->40242 40242->40061 40244 4397fd memset 40242->40244 40243->40063 40244->40070 40245->40061 40246->40085 40247->40074 40248->40078 40249->40075 40250->40079 40251->40083 40252->40087 40253->40089 40254->40093 40255->40100 40256->40098 40257->40104 40258->40173 40259->40096 40260->40102 40261->40107 40262->40108 40263->40108 40264->40117 40265->40121 40266->40124 40267->40132 40268->40138 40269->40144 40270->40151 40271->40166 40272->40176 40273->40190 40274->40190 40275->40190 40276->40187 40277->40194 40278->40199 40279->40171 40280->40171 40281->40171 40282->40169 40283->40177 40284->40181 40285->40183 40286->40188 40287->40192 40288->40196 40289->40200 40290->40206 40291->40207 40292->40206 40293->40210 40294->40212 40295->40214 40296->40216 40297->40218 40298->40220 40299->40222 40300->40224 40301->40226 40302->40228 40303->40230 40304->40173 40305->40131 40306->40159 40307->40136 40308->40139 40309->40146 40310->40154 40311->40125 40312->40130 40313->40137 40314->40147 40315->40149 40316->40152 40317->40158 40318->40154 40319->40162 40320->40164 40321->40173 40322->40116 40323->40061 40325 42a175 40324->40325 40327 42a122 40324->40327 40325->40242 40330 42b13b 147 API calls 40325->40330 40327->40325 40328 42a115 147 API calls 40327->40328 40331 43a174 40327->40331 40355 42a0a8 147 API calls 40327->40355 40328->40327 40330->40240 40345 43a196 40331->40345 40346 43a19e 40331->40346 40332 43a306 40332->40345 40371 4388c4 14 API calls 40332->40371 40335 42a115 147 API calls 40335->40346 40336 415a91 memset 40336->40346 40337 43a642 40337->40345 40375 4169a7 11 API calls 40337->40375 40341 43a635 40374 42c02e memset 40341->40374 40345->40327 40346->40332 40346->40335 40346->40336 40346->40345 40356 42ff8c 40346->40356 40364 4165ff 40346->40364 40367 439504 13 API calls 40346->40367 40368 4312d0 147 API calls 40346->40368 40369 42be4c memcpy memcpy memcpy memset memcpy 40346->40369 40370 43a121 11 API calls 40346->40370 40348 4169a7 11 API calls 40349 43a325 40348->40349 40349->40337 40349->40341 40349->40345 40349->40348 40350 42b5b5 memset memcpy 40349->40350 40351 42bf4c 14 API calls 40349->40351 40354 4165ff 11 API calls 40349->40354 40372 42b63e 14 API calls 40349->40372 40373 42bfcf memcpy 40349->40373 40350->40349 40351->40349 40354->40349 40355->40327 40376 43817e 40356->40376 40358 42ff99 40359 42ffe3 40358->40359 40360 42ffd0 40358->40360 40363 42ff9d 40358->40363 40381 4169a7 11 API calls 40359->40381 40380 4169a7 11 API calls 40360->40380 40363->40346 40365 4165a0 11 API calls 40364->40365 40366 41660d 40365->40366 40366->40346 40367->40346 40368->40346 40369->40346 40370->40346 40371->40349 40372->40349 40373->40349 40374->40337 40375->40345 40377 438187 40376->40377 40379 438192 40376->40379 40382 4380f6 40377->40382 40379->40358 40380->40363 40381->40363 40384 43811f 40382->40384 40383 438164 40383->40379 40384->40383 40386 4300e8 3 API calls 40384->40386 40387 437e5e 40384->40387 40386->40384 40410 437d3c 40387->40410 40389 437eb3 40389->40384 40390 437ea9 40390->40389 40396 437f22 40390->40396 40425 41f432 40390->40425 40393 437f06 40472 415c56 11 API calls 40393->40472 40395 437f95 40473 415c56 11 API calls 40395->40473 40397 437f7f 40396->40397 40398 432d4e 3 API calls 40396->40398 40397->40395 40400 43802b 40397->40400 40398->40397 40401 4165ff 11 API calls 40400->40401 40402 438054 40401->40402 40436 437371 40402->40436 40405 43806b 40406 438094 40405->40406 40474 42f50e 138 API calls 40405->40474 40408 437fa3 40406->40408 40409 4300e8 3 API calls 40406->40409 40408->40389 40475 41f638 104 API calls 40408->40475 40409->40408 40411 437d69 40410->40411 40414 437d80 40410->40414 40476 437ccb 11 API calls 40411->40476 40413 437d76 40413->40390 40414->40413 40415 437da3 40414->40415 40417 437d90 40414->40417 40418 438460 134 API calls 40415->40418 40417->40413 40480 437ccb 11 API calls 40417->40480 40421 437dcb 40418->40421 40420 437de8 40479 424f26 123 API calls 40420->40479 40421->40420 40477 444283 13 API calls 40421->40477 40423 437dfc 40478 437ccb 11 API calls 40423->40478 40426 41f54d 40425->40426 40432 41f44f 40425->40432 40427 41f466 40426->40427 40510 41c635 memset memset 40426->40510 40427->40393 40427->40396 40432->40427 40434 41f50b 40432->40434 40481 41f1a5 40432->40481 40506 41c06f memcmp 40432->40506 40507 41f3b1 90 API calls 40432->40507 40508 41f398 86 API calls 40432->40508 40434->40426 40434->40427 40509 41c295 86 API calls 40434->40509 40437 41703f 11 API calls 40436->40437 40438 437399 40437->40438 40439 43739d 40438->40439 40442 4373ac 40438->40442 40511 4446ea 11 API calls 40439->40511 40441 4373a7 40441->40405 40443 416935 16 API calls 40442->40443 40444 4373ca 40443->40444 40446 438460 134 API calls 40444->40446 40450 4251c4 137 API calls 40444->40450 40454 415a91 memset 40444->40454 40457 43758f 40444->40457 40469 437584 40444->40469 40471 437d3c 135 API calls 40444->40471 40512 425433 13 API calls 40444->40512 40513 425413 17 API calls 40444->40513 40514 42533e 16 API calls 40444->40514 40515 42538f 16 API calls 40444->40515 40516 42453e 123 API calls 40444->40516 40445 4375bc 40448 415c7d 16 API calls 40445->40448 40446->40444 40449 4375d2 40448->40449 40449->40441 40451 4442e6 11 API calls 40449->40451 40450->40444 40452 4375e2 40451->40452 40452->40441 40519 444283 13 API calls 40452->40519 40454->40444 40517 42453e 123 API calls 40457->40517 40458 4375f4 40463 437620 40458->40463 40464 43760b 40458->40464 40462 43759f 40465 416935 16 API calls 40462->40465 40467 416935 16 API calls 40463->40467 40520 444283 13 API calls 40464->40520 40465->40469 40467->40441 40469->40445 40518 42453e 123 API calls 40469->40518 40470 437612 memcpy 40470->40441 40471->40444 40472->40389 40473->40408 40474->40406 40475->40389 40476->40413 40477->40423 40478->40420 40479->40413 40480->40413 40482 41bc3b 101 API calls 40481->40482 40483 41f1b4 40482->40483 40484 41edad 86 API calls 40483->40484 40491 41f282 40483->40491 40485 41f1cb 40484->40485 40486 41f1f5 memcmp 40485->40486 40487 41f20e 40485->40487 40485->40491 40486->40487 40488 41f21b memcmp 40487->40488 40487->40491 40489 41f326 40488->40489 40492 41f23d 40488->40492 40490 41ee6b 86 API calls 40489->40490 40489->40491 40490->40491 40491->40432 40492->40489 40493 41f28e memcmp 40492->40493 40495 41c8df 56 API calls 40492->40495 40493->40489 40494 41f2a9 40493->40494 40494->40489 40497 41f308 40494->40497 40498 41f2d8 40494->40498 40496 41f269 40495->40496 40496->40489 40499 41f287 40496->40499 40500 41f27a 40496->40500 40497->40489 40504 4446ce 11 API calls 40497->40504 40501 41ee6b 86 API calls 40498->40501 40499->40493 40502 41ee6b 86 API calls 40500->40502 40503 41f2e0 40501->40503 40502->40491 40505 41b1ca memset 40503->40505 40504->40489 40505->40491 40506->40432 40507->40432 40508->40432 40509->40426 40510->40427 40511->40441 40512->40444 40513->40444 40514->40444 40515->40444 40516->40444 40517->40462 40518->40445 40519->40458 40520->40470 40521 441819 40524 430737 40521->40524 40523 441825 40525 430756 40524->40525 40537 43076d 40524->40537 40526 430774 40525->40526 40527 43075f 40525->40527 40538 43034a 40526->40538 40549 4169a7 11 API calls 40527->40549 40530 4307ce 40532 430819 memset 40530->40532 40542 415b2c 40530->40542 40531 43077e 40531->40530 40535 4307fa 40531->40535 40531->40537 40532->40537 40534 4307e9 40534->40532 40534->40537 40550 4169a7 11 API calls 40535->40550 40537->40523 40539 43034e 40538->40539 40541 430359 40538->40541 40551 415c23 memcpy 40539->40551 40541->40531 40543 415b46 40542->40543 40544 415b42 40542->40544 40543->40534 40544->40543 40545 415b94 40544->40545 40547 415b5a 40544->40547 40546 4438b5 10 API calls 40545->40546 40546->40543 40547->40543 40548 415b79 memcpy 40547->40548 40548->40543 40549->40537 40550->40537 40551->40541 40552 41493c EnumResourceNamesW

                                                                                          Executed Functions

                                                                                          Function 0040DD85 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 212filenativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040DDAD
                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                            • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                          • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                          • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                          • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                          • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                          • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                          • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                          • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                          • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                          • memset.MSVCRT ref: 0040DF5F
                                                                                          • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                          • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                          • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                          • String ID: dllhost.exe$p+v@Fv@Bv$taskhost.exe$taskhostex.exe
                                                                                          • API String ID: 708747863-3857311822
                                                                                          • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                          • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                          • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                          • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                          Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                            • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                            • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                          • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                          • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                          • free.MSVCRT ref: 00418803
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                          • String ID:
                                                                                          • API String ID: 1355100292-0
                                                                                          • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                          • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                          • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                          • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                          Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                          • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                          • String ID:
                                                                                          • API String ID: 767404330-0
                                                                                          • Opcode ID: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                          • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                          • Opcode Fuzzy Hash: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                          • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                          Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                          • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileFind$FirstNext
                                                                                          • String ID:
                                                                                          • API String ID: 1690352074-0
                                                                                          • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                          • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                          • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                          • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                          Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0041898C
                                                                                          • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoSystemmemset
                                                                                          • String ID:
                                                                                          • API String ID: 3558857096-0
                                                                                          • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                          • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                          • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                          • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                          Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 40 44558e-445594 call 444b06 4->40 41 44557e-44558c call 4136c0 call 41366b 4->41 19 4455e5 5->19 20 4455e8-4455f9 5->20 10 445800-445809 6->10 11 445856-44585f 10->11 12 44580b-44581e call 40a889 call 403e2d 10->12 15 445861-445874 call 40a889 call 403c9c 11->15 16 4458ac-4458b5 11->16 42 445823-445826 12->42 49 445879-44587c 15->49 21 44594f-445958 16->21 22 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 16->22 19->20 23 445672-445683 call 40a889 call 403fbe 20->23 24 4455fb-445601 20->24 35 4459f2-4459fa 21->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 21->36 135 44592d-445945 call 40b6ef 22->135 136 44594a 22->136 84 445685 23->84 85 4456b2-4456b5 call 40b1ab 23->85 29 445605-445607 24->29 30 445603 24->30 29->23 38 445609-44560d 29->38 30->29 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->23 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 40->3 41->40 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 51->11 67 44582e-445847 call 40a9b5 call 4087b3 52->67 61 445d1c-445d25 53->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->68 69 445b98-445ba0 54->69 73 445fae-445fb2 61->73 74 445d2b-445d3b 61->74 168 445cf5 62->168 169 445cfc-445d03 62->169 64->16 81 445884-44589d call 40a9b5 call 4087b3 65->81 138 445849 67->138 247 445c77 68->247 69->68 83 445ba2-445bcf call 4099c6 call 445403 call 445389 69->83 90 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->90 91 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->91 156 44589f 81->156 83->53 100 44568b-4456a4 call 40a9b5 call 4087b3 84->100 104 4456ba-4456c4 85->104 162 445d67-445d6c 90->162 163 445d71-445d83 call 445093 90->163 196 445e17 91->196 197 445e1e-445e25 91->197 158 4456a9-4456b0 100->158 118 4457f9 104->118 119 4456ca-4456d3 call 413cfa call 413d4c 104->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->21 138->51 150->104 151->150 153->154 154->35 156->64 158->85 158->100 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->73 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 246 445798-4457ca call 40b2cc call 409d1f call 409b98 206->246 207->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->207 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 004455C2
                                                                                          • wcsrchr.MSVCRT ref: 004455DA
                                                                                          • memset.MSVCRT ref: 0044570D
                                                                                          • memset.MSVCRT ref: 00445725
                                                                                            • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                            • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                            • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                            • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                            • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                            • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                            • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                            • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                          • memset.MSVCRT ref: 0044573D
                                                                                          • memset.MSVCRT ref: 00445755
                                                                                          • memset.MSVCRT ref: 004458CB
                                                                                          • memset.MSVCRT ref: 004458E3
                                                                                          • memset.MSVCRT ref: 0044596E
                                                                                          • memset.MSVCRT ref: 00445A10
                                                                                          • memset.MSVCRT ref: 00445A28
                                                                                          • memset.MSVCRT ref: 00445AC6
                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                            • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                            • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                            • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                            • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                            • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                          • memset.MSVCRT ref: 00445B52
                                                                                          • memset.MSVCRT ref: 00445B6A
                                                                                          • memset.MSVCRT ref: 00445C9B
                                                                                          • memset.MSVCRT ref: 00445CB3
                                                                                          • _wcsicmp.MSVCRT ref: 00445D56
                                                                                          • memset.MSVCRT ref: 00445B82
                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                          • memset.MSVCRT ref: 00445986
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                          • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                          • API String ID: 1963886904-3798722523
                                                                                          • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                          • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                          • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                          • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                          Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                            • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                            • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                            • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                          • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                                          • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                                          • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                          • String ID: $/deleteregkey$/savelangfile
                                                                                          • API String ID: 2744995895-28296030
                                                                                          • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                          • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                          • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                          • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                          Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040B71C
                                                                                            • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                            • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                          • wcsrchr.MSVCRT ref: 0040B738
                                                                                          • memset.MSVCRT ref: 0040B756
                                                                                          • memset.MSVCRT ref: 0040B7F5
                                                                                          • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                          • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                          • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                          • memset.MSVCRT ref: 0040B851
                                                                                          • memset.MSVCRT ref: 0040B8CA
                                                                                          • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                          • memset.MSVCRT ref: 0040BB53
                                                                                          • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                          • String ID: chp$v10
                                                                                          • API String ID: 1297422669-2783969131
                                                                                          • Opcode ID: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                          • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                          • Opcode Fuzzy Hash: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                          • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                          Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 511 40e304-40e316 call 406e8f 510->511 516 40e476-40e483 call 406b53 511->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 511->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 529 40e497-40e49f free 524->529 529->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 551 40e3b0 542->551 552 40e3b3-40e3c1 wcschr 542->552 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 549 40e3fb-40e40c memcpy 548->549 550 40e40f-40e414 548->550 549->550 553 40e416-40e427 memcpy 550->553 554 40e42a-40e42f 550->554 551->552 552->541 555 40e3c3-40e3c6 552->555 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                          APIs
                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                          • free.MSVCRT ref: 0040E49A
                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                          • memset.MSVCRT ref: 0040E380
                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                          • wcschr.MSVCRT ref: 0040E3B8
                                                                                          • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                                          • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E407
                                                                                          • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E422
                                                                                          • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E43D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                          • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                          • API String ID: 3849927982-2252543386
                                                                                          • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                          • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                          • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                          • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                          Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 004091E2
                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                          • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                          • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                          • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                          • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                          • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                          • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                          • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                          • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                          • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                          • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                          • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                          • String ID:
                                                                                          • API String ID: 3715365532-3916222277
                                                                                          • Opcode ID: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                          • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                          • Opcode Fuzzy Hash: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                          • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                          Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 644 413eb7-413ebd 641->644 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 644->645 646 413ebf-413ec6 free 644->646 648 413edb-413ee2 645->648 646->648 655 413ee4 648->655 656 413ee7-413efe 648->656 662 413ea2-413eae CloseHandle 650->662 653 413e61-413e68 651->653 654 413e37-413e44 GetModuleHandleW 651->654 653->650 659 413e6a-413e76 653->659 654->653 658 413e46-413e5c GetProcAddress 654->658 655->656 656->638 658->653 659->650 662->641
                                                                                          APIs
                                                                                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                          • memset.MSVCRT ref: 00413D7F
                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                          • memset.MSVCRT ref: 00413E07
                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                          • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                          • free.MSVCRT ref: 00413EC1
                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                          • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                          • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                          • API String ID: 1344430650-1740548384
                                                                                          • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                          • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                          • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                          • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                          Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                            • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                            • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                            • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                            • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                            • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                          • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                          • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                          • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                          • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                          • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                          • String ID: bhv
                                                                                          • API String ID: 4234240956-2689659898
                                                                                          • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                          • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                          • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                          • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                          Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                          APIs
                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                          • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                          • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                          • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                          • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                          • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                          • API String ID: 2941347001-70141382
                                                                                          • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                          • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                          • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                          • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                          Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040C298
                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                          • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                          • wcschr.MSVCRT ref: 0040C324
                                                                                          • wcschr.MSVCRT ref: 0040C344
                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                          • GetLastError.KERNEL32 ref: 0040C373
                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                          • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                          • String ID: visited:
                                                                                          • API String ID: 2470578098-1702587658
                                                                                          • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                          • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                          • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                          • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                          Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1fa call 406e8f 726->729 733 40e270-40e27d call 406b53 729->733 734 40e1fc-40e219 call 40dd50 * 2 729->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                                          APIs
                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                          • memset.MSVCRT ref: 0040E1BD
                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                          • free.MSVCRT ref: 0040E28B
                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                            • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                            • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                          • _snwprintf.MSVCRT ref: 0040E257
                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                          • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                          • API String ID: 2804212203-2982631422
                                                                                          • Opcode ID: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                                          • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                          • Opcode Fuzzy Hash: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                                          • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                          Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                                          • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                          • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                          • String ID: AE$BIN
                                                                                          • API String ID: 1668488027-3931574542
                                                                                          • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                          • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                          • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                          • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                          Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                            • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                          • memset.MSVCRT ref: 0040BC75
                                                                                          • memset.MSVCRT ref: 0040BC8C
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                          • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                          • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                          • String ID:
                                                                                          • API String ID: 115830560-3916222277
                                                                                          • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                          • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                          • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                          • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                          Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 822 41837f-4183bf 823 4183c1-4183cc call 418197 822->823 824 4183dc-4183ec call 418160 822->824 829 4183d2-4183d8 823->829 830 418517-41851d 823->830 831 4183f6-41840b 824->831 832 4183ee-4183f1 824->832 829->824 833 418417-418423 831->833 834 41840d-418415 831->834 832->830 835 418427-418442 call 41739b 833->835 834->835 838 418444-41845d CreateFileW 835->838 839 41845f-418475 CreateFileA 835->839 840 418477-41847c 838->840 839->840 841 4184c2-4184c7 840->841 842 41847e-418495 GetLastError free 840->842 845 4184d5-418501 memset call 418758 841->845 846 4184c9-4184d3 841->846 843 4184b5-4184c0 call 444706 842->843 844 418497-4184b3 call 41837f 842->844 843->830 844->830 850 418506-418515 free 845->850 846->845 850->830
                                                                                          APIs
                                                                                          • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                          • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                          • GetLastError.KERNEL32 ref: 0041847E
                                                                                          • free.MSVCRT ref: 0041848B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile$ErrorLastfree
                                                                                          • String ID: |A
                                                                                          • API String ID: 77810686-1717621600
                                                                                          • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                          • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                          • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                          • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                          Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0041249C
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                          • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                          • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                          • wcscpy.MSVCRT ref: 004125A0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                          • String ID: r!A
                                                                                          • API String ID: 2791114272-628097481
                                                                                          • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                          • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                          • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                          • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                          Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                            • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                            • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                            • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                            • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                            • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                            • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                          • _wcslwr.MSVCRT ref: 0040C817
                                                                                            • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                            • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                          • wcslen.MSVCRT ref: 0040C82C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                          • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                          • API String ID: 2936932814-4196376884
                                                                                          • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                          • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                          • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                          • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                          Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040A824
                                                                                          • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                          • wcscpy.MSVCRT ref: 0040A854
                                                                                          • wcscat.MSVCRT ref: 0040A86A
                                                                                          • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                          • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                          • String ID: C:\Windows\system32
                                                                                          • API String ID: 669240632-2896066436
                                                                                          • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                          • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                          • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                          • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                          Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                          • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                          • wcslen.MSVCRT ref: 0040BE06
                                                                                          • wcsncmp.MSVCRT ref: 0040BE38
                                                                                          • memset.MSVCRT ref: 0040BE91
                                                                                          • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                          • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                          • wcschr.MSVCRT ref: 0040BF24
                                                                                          • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                          • String ID:
                                                                                          • API String ID: 697348961-0
                                                                                          • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                          • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                          • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                          • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                          Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 00403CBF
                                                                                          • memset.MSVCRT ref: 00403CD4
                                                                                          • memset.MSVCRT ref: 00403CE9
                                                                                          • memset.MSVCRT ref: 00403CFE
                                                                                          • memset.MSVCRT ref: 00403D13
                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                          • memset.MSVCRT ref: 00403DDA
                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                          • String ID: Waterfox$Waterfox\Profiles
                                                                                          • API String ID: 4039892925-11920434
                                                                                          • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                          • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                          • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                          • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                          Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 00403E50
                                                                                          • memset.MSVCRT ref: 00403E65
                                                                                          • memset.MSVCRT ref: 00403E7A
                                                                                          • memset.MSVCRT ref: 00403E8F
                                                                                          • memset.MSVCRT ref: 00403EA4
                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                          • memset.MSVCRT ref: 00403F6B
                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                          • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                          • API String ID: 4039892925-2068335096
                                                                                          • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                          • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                          • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                          • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                          Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 00403FE1
                                                                                          • memset.MSVCRT ref: 00403FF6
                                                                                          • memset.MSVCRT ref: 0040400B
                                                                                          • memset.MSVCRT ref: 00404020
                                                                                          • memset.MSVCRT ref: 00404035
                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                          • memset.MSVCRT ref: 004040FC
                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                          • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                          • API String ID: 4039892925-3369679110
                                                                                          • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                          • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                          • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                          • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                          Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpy
                                                                                          • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                          • API String ID: 3510742995-2641926074
                                                                                          • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                          • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                          • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                          • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                          Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                            • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                            • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                          • memset.MSVCRT ref: 004033B7
                                                                                          • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                          • wcscmp.MSVCRT ref: 004033FC
                                                                                          • _wcsicmp.MSVCRT ref: 00403439
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                          • String ID: $0.@
                                                                                          • API String ID: 2758756878-1896041820
                                                                                          • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                          • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                          • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                          • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                          Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                          • String ID:
                                                                                          • API String ID: 2941347001-0
                                                                                          • Opcode ID: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                          • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                          • Opcode Fuzzy Hash: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                          • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                          Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 00403C09
                                                                                          • memset.MSVCRT ref: 00403C1E
                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                            • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                            • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                          • wcscat.MSVCRT ref: 00403C47
                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                          • wcscat.MSVCRT ref: 00403C70
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                          • API String ID: 1534475566-1174173950
                                                                                          • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                          • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                          • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                          • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                          Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                          • memset.MSVCRT ref: 00414C87
                                                                                          • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                          • wcscpy.MSVCRT ref: 00414CFC
                                                                                            • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                          Strings
                                                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                          • API String ID: 71295984-2036018995
                                                                                          • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                          • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                          • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                          • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                          Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • wcschr.MSVCRT ref: 00414458
                                                                                          • _snwprintf.MSVCRT ref: 0041447D
                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                          • String ID: "%s"
                                                                                          • API String ID: 1343145685-3297466227
                                                                                          • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                          • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                          • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                          • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                          Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                          • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                          • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProcProcessTimes
                                                                                          • String ID: GetProcessTimes$kernel32.dll
                                                                                          • API String ID: 1714573020-3385500049
                                                                                          • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                          • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                          • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                          • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                          Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 004087D6
                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                            • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                          • memset.MSVCRT ref: 00408828
                                                                                          • memset.MSVCRT ref: 00408840
                                                                                          • memset.MSVCRT ref: 00408858
                                                                                          • memset.MSVCRT ref: 00408870
                                                                                          • memset.MSVCRT ref: 00408888
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                          • String ID:
                                                                                          • API String ID: 2911713577-0
                                                                                          • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                          • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                          • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                          • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                          Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                          • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                          • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcmp
                                                                                          • String ID: @ $SQLite format 3
                                                                                          • API String ID: 1475443563-3708268960
                                                                                          • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                          • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                          • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                          • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                          Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmpqsort
                                                                                          • String ID: /nosort$/sort
                                                                                          • API String ID: 1579243037-1578091866
                                                                                          • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                          • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                          • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                          • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                          Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040E60F
                                                                                          • memset.MSVCRT ref: 0040E629
                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                          Strings
                                                                                          • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                          • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                          • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                          • API String ID: 2887208581-2114579845
                                                                                          • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                          • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                          • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                          • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                          Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                          • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                          • String ID:
                                                                                          • API String ID: 3473537107-0
                                                                                          • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                          • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                          • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                          • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                          Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00900048), ref: 0044DF01
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00910050), ref: 0044DF11
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00A26E08), ref: 0044DF21
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00910458), ref: 0044DF31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@
                                                                                          • String ID:
                                                                                          • API String ID: 613200358-0
                                                                                          • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                          • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                          • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                          • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                          Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset
                                                                                          • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                          • API String ID: 2221118986-1725073988
                                                                                          • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                          • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                          • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                          • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                          Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                                          • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@DeleteObject
                                                                                          • String ID: r!A
                                                                                          • API String ID: 1103273653-628097481
                                                                                          • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                          • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                          • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                          • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                          Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@
                                                                                          • String ID:
                                                                                          • API String ID: 1033339047-0
                                                                                          • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                          • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                          • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                          • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                          Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                          • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$memcmp
                                                                                          • String ID: $$8
                                                                                          • API String ID: 2808797137-435121686
                                                                                          • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                          • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                          • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                          • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                          Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • duplicate column name: %s, xrefs: 004307FE
                                                                                          • too many columns on %s, xrefs: 00430763
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: duplicate column name: %s$too many columns on %s
                                                                                          • API String ID: 0-1445880494
                                                                                          • Opcode ID: 93b9582cf047c94b57d064edc5564507e5ded9912264045a732c21487ec891bf
                                                                                          • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                          • Opcode Fuzzy Hash: 93b9582cf047c94b57d064edc5564507e5ded9912264045a732c21487ec891bf
                                                                                          • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                          Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                            • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                            • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                            • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                            • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                            • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                            • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                            • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                            • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                          • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                            • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                            • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                            • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                                          • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                          • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                            • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                            • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                            • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                          • String ID:
                                                                                          • API String ID: 1979745280-0
                                                                                          • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                          • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                          • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                          • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                          Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                          • memset.MSVCRT ref: 00403A55
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                          • String ID: history.dat$places.sqlite
                                                                                          • API String ID: 2641622041-467022611
                                                                                          • Opcode ID: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                                          • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                          • Opcode Fuzzy Hash: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                                          • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                          Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                          • GetLastError.KERNEL32 ref: 00417627
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$File$PointerRead
                                                                                          • String ID:
                                                                                          • API String ID: 839530781-0
                                                                                          • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                          • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                          • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                          • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                          Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileFindFirst
                                                                                          • String ID: *.*$index.dat
                                                                                          • API String ID: 1974802433-2863569691
                                                                                          • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                          • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                          • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                          • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                          Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                          • GetLastError.KERNEL32 ref: 004175A2
                                                                                          • GetLastError.KERNEL32 ref: 004175A8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$FilePointer
                                                                                          • String ID:
                                                                                          • API String ID: 1156039329-0
                                                                                          • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                          • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                          • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                          • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                          Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                          • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandleTime
                                                                                          • String ID:
                                                                                          • API String ID: 3397143404-0
                                                                                          • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                          • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                          • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                          • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                          Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                          • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Temp$DirectoryFileNamePathWindows
                                                                                          • String ID:
                                                                                          • API String ID: 1125800050-0
                                                                                          • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                          • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                          • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                          • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                          Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                          • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandleSleep
                                                                                          • String ID: }A
                                                                                          • API String ID: 252777609-2138825249
                                                                                          • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                          • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                          • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                          • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                          Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • malloc.MSVCRT ref: 00409A10
                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                          • free.MSVCRT ref: 00409A31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: freemallocmemcpy
                                                                                          • String ID:
                                                                                          • API String ID: 3056473165-0
                                                                                          • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                          • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                          • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                          • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                          Function 00415321 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • failed memory resize %u to %u bytes, xrefs: 00415358
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: realloc
                                                                                          • String ID: failed memory resize %u to %u bytes
                                                                                          • API String ID: 471065373-2134078882
                                                                                          • Opcode ID: 3434da1dbcbe40749f7bb19bb969ba9348cca2f332a45bcd3c57ad1b142d0162
                                                                                          • Instruction ID: fa0be88ae63bf8e7a0ec1cbb838f3bc130d20eb0a75070b99cf9e4f37552e13a
                                                                                          • Opcode Fuzzy Hash: 3434da1dbcbe40749f7bb19bb969ba9348cca2f332a45bcd3c57ad1b142d0162
                                                                                          • Instruction Fuzzy Hash: 6EF05CB3A01705E7D2109A55DC418CBF3DCDFC0755B06082FF998D3201E168E88083B6
                                                                                          Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: d
                                                                                          • API String ID: 0-2564639436
                                                                                          • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                          • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                          • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                          • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                          Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset
                                                                                          • String ID: BINARY
                                                                                          • API String ID: 2221118986-907554435
                                                                                          • Opcode ID: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                                                                          • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                          • Opcode Fuzzy Hash: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                                                                          • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                          Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmp
                                                                                          • String ID: /stext
                                                                                          • API String ID: 2081463915-3817206916
                                                                                          • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                          • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                          • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                          • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                          Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                          • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                          • String ID:
                                                                                          • API String ID: 2445788494-0
                                                                                          • Opcode ID: f98f4580e944ff1394539a417ce627da6ec9f8ae179723ff754f94650361ffdf
                                                                                          • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                          • Opcode Fuzzy Hash: f98f4580e944ff1394539a417ce627da6ec9f8ae179723ff754f94650361ffdf
                                                                                          • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                          Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: malloc
                                                                                          • String ID: failed to allocate %u bytes of memory
                                                                                          • API String ID: 2803490479-1168259600
                                                                                          • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                          • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                          • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                          • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                          Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0041BDDF
                                                                                          • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcmpmemset
                                                                                          • String ID:
                                                                                          • API String ID: 1065087418-0
                                                                                          • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                          • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                          • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                          • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                          Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                          • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                                          • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                            • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                            • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                            • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                          • String ID:
                                                                                          • API String ID: 1381354015-0
                                                                                          • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                          • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                          • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                          • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                          Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 004301AD
                                                                                          • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpymemset
                                                                                          • String ID:
                                                                                          • API String ID: 1297977491-0
                                                                                          • Opcode ID: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                          • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                          • Opcode Fuzzy Hash: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                          • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                          Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: free
                                                                                          • String ID:
                                                                                          • API String ID: 1294909896-0
                                                                                          • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                          • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                          • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                          • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                          Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                            • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                            • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                            • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                          • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                          • String ID:
                                                                                          • API String ID: 2154303073-0
                                                                                          • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                          • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                          • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                          • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                          Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                          • String ID:
                                                                                          • API String ID: 3150196962-0
                                                                                          • Opcode ID: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                          • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                          • Opcode Fuzzy Hash: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                          • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                          Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$PointerRead
                                                                                          • String ID:
                                                                                          • API String ID: 3154509469-0
                                                                                          • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                          • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                          • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                          • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                          Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                            • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                            • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                            • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                          • String ID:
                                                                                          • API String ID: 4232544981-0
                                                                                          • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                          • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                          • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                          • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                          Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeLibrary
                                                                                          • String ID:
                                                                                          • API String ID: 3664257935-0
                                                                                          • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                          • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                          • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                          • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                          Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                          • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$FileModuleName
                                                                                          • String ID:
                                                                                          • API String ID: 3859505661-0
                                                                                          • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                          • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                          • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                          • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                          Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileRead
                                                                                          • String ID:
                                                                                          • API String ID: 2738559852-0
                                                                                          • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                          • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                          • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                          • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                          Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3934441357-0
                                                                                          • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                          • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                          • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                          • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                          Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeLibrary
                                                                                          • String ID:
                                                                                          • API String ID: 3664257935-0
                                                                                          • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                          • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                          • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                          • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                          Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                          • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                          • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                          • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                          Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                          • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                          • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                          • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                          Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@
                                                                                          • String ID:
                                                                                          • API String ID: 613200358-0
                                                                                          • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                          • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                          • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                          • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                          Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeLibrary
                                                                                          • String ID:
                                                                                          • API String ID: 3664257935-0
                                                                                          • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                          • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                          • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                          • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                          Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: EnumNamesResource
                                                                                          • String ID:
                                                                                          • API String ID: 3334572018-0
                                                                                          • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                          • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                          • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                          • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                          Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeLibrary
                                                                                          • String ID:
                                                                                          • API String ID: 3664257935-0
                                                                                          • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                          • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                          • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                          • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                          Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseFind
                                                                                          • String ID:
                                                                                          • API String ID: 1863332320-0
                                                                                          • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                          • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                          • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                          • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                          Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Open
                                                                                          • String ID:
                                                                                          • API String ID: 71445658-0
                                                                                          • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                          • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                          • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                          • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                          Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID:
                                                                                          • API String ID: 3188754299-0
                                                                                          • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                          • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                          • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                          • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                          Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                          • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                          • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                          • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                          Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 004095FC
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                            • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                            • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                            • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                          • String ID:
                                                                                          • API String ID: 3655998216-0
                                                                                          • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                          • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                          • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                          • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                          Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                          • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                                                                          • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                          • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                                                                          Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 00445426
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                          • String ID:
                                                                                          • API String ID: 1828521557-0
                                                                                          • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                          • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                          • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                          • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                          Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                            • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                          • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@FilePointermemcpy
                                                                                          • String ID:
                                                                                          • API String ID: 609303285-0
                                                                                          • Opcode ID: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                          • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                          • Opcode Fuzzy Hash: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                          • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                          Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmp
                                                                                          • String ID:
                                                                                          • API String ID: 2081463915-0
                                                                                          • Opcode ID: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                          • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                          • Opcode Fuzzy Hash: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                          • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                          Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                          • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateErrorHandleLastRead
                                                                                          • String ID:
                                                                                          • API String ID: 2136311172-0
                                                                                          • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                          • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                          • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                          • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                          Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@??3@
                                                                                          • String ID:
                                                                                          • API String ID: 1936579350-0
                                                                                          • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                          • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                          • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                          • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                          Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: free
                                                                                          • String ID:
                                                                                          • API String ID: 1294909896-0
                                                                                          • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                          • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                          • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                          • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                          Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: free
                                                                                          • String ID:
                                                                                          • API String ID: 1294909896-0
                                                                                          • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                          • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                          • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                          • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                          Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: free
                                                                                          • String ID:
                                                                                          • API String ID: 1294909896-0
                                                                                          • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                          • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                                          • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                          • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                                          Non-executed Functions

                                                                                          Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32 ref: 004182D7
                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                          • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                          • LocalFree.KERNEL32(?), ref: 00418342
                                                                                          • free.MSVCRT ref: 00418370
                                                                                            • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                            • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                          • String ID: OsError 0x%x (%u)
                                                                                          • API String ID: 2360000266-2664311388
                                                                                          • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                          • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                          • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                          • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                          Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Version
                                                                                          • String ID:
                                                                                          • API String ID: 1889659487-0
                                                                                          • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                          • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                          • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                          • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                          Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcsicmp.MSVCRT ref: 004022A6
                                                                                          • _wcsicmp.MSVCRT ref: 004022D7
                                                                                          • _wcsicmp.MSVCRT ref: 00402305
                                                                                          • _wcsicmp.MSVCRT ref: 00402333
                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                          • memset.MSVCRT ref: 0040265F
                                                                                          • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                          • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                          • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                          • API String ID: 2929817778-1134094380
                                                                                          • Opcode ID: 50789d42b67ef9cbe8ec8181fd3a7e8d092fde0b3f08ce177d697f6554f1c07e
                                                                                          • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                          • Opcode Fuzzy Hash: 50789d42b67ef9cbe8ec8181fd3a7e8d092fde0b3f08ce177d697f6554f1c07e
                                                                                          • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                          Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                          • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                          • GetDC.USER32 ref: 004140E3
                                                                                          • wcslen.MSVCRT ref: 00414123
                                                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                          • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                          • _snwprintf.MSVCRT ref: 00414244
                                                                                          • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                          • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                          • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                          • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                          • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                          • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                          • String ID: %s:$EDIT$STATIC
                                                                                          • API String ID: 2080319088-3046471546
                                                                                          • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                          • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                          • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                          • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                          Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • EndDialog.USER32(?,?), ref: 00413221
                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                          • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                          • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                          • memset.MSVCRT ref: 00413292
                                                                                          • memset.MSVCRT ref: 004132B4
                                                                                          • memset.MSVCRT ref: 004132CD
                                                                                          • memset.MSVCRT ref: 004132E1
                                                                                          • memset.MSVCRT ref: 004132FB
                                                                                          • memset.MSVCRT ref: 00413310
                                                                                          • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                          • memset.MSVCRT ref: 004133C0
                                                                                          • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                          • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                          • wcscpy.MSVCRT ref: 0041341F
                                                                                          • _snwprintf.MSVCRT ref: 0041348E
                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                          • SetFocus.USER32(00000000), ref: 004134B7
                                                                                          Strings
                                                                                          • {Unknown}, xrefs: 004132A6
                                                                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                          • API String ID: 4111938811-1819279800
                                                                                          • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                          • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                          • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                          • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                          Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                          • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                          • EndDialog.USER32(?,?), ref: 0040135E
                                                                                          • DeleteObject.GDI32(?), ref: 0040136A
                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                          • ShowWindow.USER32(00000000), ref: 00401398
                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                          • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                          • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                          • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                          • String ID:
                                                                                          • API String ID: 829165378-0
                                                                                          • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                          • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                          • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                          • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                          Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 00404172
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                          • wcscpy.MSVCRT ref: 004041D6
                                                                                          • wcscpy.MSVCRT ref: 004041E7
                                                                                          • memset.MSVCRT ref: 00404200
                                                                                          • memset.MSVCRT ref: 00404215
                                                                                          • _snwprintf.MSVCRT ref: 0040422F
                                                                                          • wcscpy.MSVCRT ref: 00404242
                                                                                          • memset.MSVCRT ref: 0040426E
                                                                                          • memset.MSVCRT ref: 004042CD
                                                                                          • memset.MSVCRT ref: 004042E2
                                                                                          • _snwprintf.MSVCRT ref: 004042FE
                                                                                          • wcscpy.MSVCRT ref: 00404311
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                          • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                          • API String ID: 2454223109-1580313836
                                                                                          • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                          • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                          • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                          • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                          Function 0041352F Relevance: 33.3, APIs: 9, Strings: 10, Instructions: 41libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                          • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                          • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                          • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                          • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                          • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                          • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                          • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                          • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModule
                                                                                          • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll$p+v@Fv@Bv
                                                                                          • API String ID: 667068680-1085305157
                                                                                          • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                          • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                          • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                          • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                          Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                          • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                          • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                          • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                          • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                          • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                          • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                          • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                          • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                          • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                          • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                          • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                            • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                            • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                          • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                          • API String ID: 4054529287-3175352466
                                                                                          • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                          • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                          • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                          • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                          Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _snwprintf$memset$wcscpy
                                                                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                          • API String ID: 2000436516-3842416460
                                                                                          • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                          • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                          • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                          • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                          Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                            • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                            • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                            • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                          • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                          • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                          • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                          • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                          • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                          • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                          • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                          • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                          • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                          • String ID:
                                                                                          • API String ID: 1043902810-0
                                                                                          • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                          • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                          • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                          • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                          Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                          • memset.MSVCRT ref: 004085CF
                                                                                          • memset.MSVCRT ref: 004085F1
                                                                                          • memset.MSVCRT ref: 00408606
                                                                                          • strcmp.MSVCRT ref: 00408645
                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                          • memset.MSVCRT ref: 0040870E
                                                                                          • strcmp.MSVCRT ref: 0040876B
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                          • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                          • String ID: ---
                                                                                          • API String ID: 3437578500-2854292027
                                                                                          • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                          • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                          • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                          • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                          Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                          • malloc.MSVCRT ref: 004186B7
                                                                                          • free.MSVCRT ref: 004186C7
                                                                                          • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                          • free.MSVCRT ref: 004186E0
                                                                                          • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                          • malloc.MSVCRT ref: 004186FE
                                                                                          • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                          • free.MSVCRT ref: 00418716
                                                                                          • free.MSVCRT ref: 0041872A
                                                                                          • free.MSVCRT ref: 00418749
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: free$FullNamePath$malloc$Version
                                                                                          • String ID: |A
                                                                                          • API String ID: 3356672799-1717621600
                                                                                          • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                          • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                          • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                          • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                          Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmp
                                                                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                          • API String ID: 2081463915-1959339147
                                                                                          • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                          • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                          • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                          • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                          Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 004121FF
                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                          • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                          • SelectObject.GDI32(?,?), ref: 00412251
                                                                                          • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                          • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                            • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                            • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                            • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                          • SetCursor.USER32(00000000), ref: 004122BC
                                                                                          • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                          • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                          • String ID:
                                                                                          • API String ID: 1700100422-0
                                                                                          • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                          • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                          • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                          • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                          Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                          • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                          • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                          • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                          • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                          • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                          • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                          • String ID:
                                                                                          • API String ID: 552707033-0
                                                                                          • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                          • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                          • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                          • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                          Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                            • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                            • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                          • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                          • strchr.MSVCRT ref: 0040C140
                                                                                          • strchr.MSVCRT ref: 0040C151
                                                                                          • _strlwr.MSVCRT ref: 0040C15F
                                                                                          • memset.MSVCRT ref: 0040C17A
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                          • String ID: 4$h
                                                                                          • API String ID: 4066021378-1856150674
                                                                                          • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                          • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                          • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                          • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                          Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$_snwprintf
                                                                                          • String ID: %%0.%df
                                                                                          • API String ID: 3473751417-763548558
                                                                                          • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                          • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                          • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                          • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                          Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                          • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                          • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                          • GetTickCount.KERNEL32 ref: 0040610B
                                                                                          • GetParent.USER32(?), ref: 00406136
                                                                                          • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                          • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                          • String ID: A
                                                                                          • API String ID: 2892645895-3554254475
                                                                                          • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                          • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                          • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                          • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                          Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                          • String ID: 0$6
                                                                                          • API String ID: 4066108131-3849865405
                                                                                          • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                          • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                          • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                          • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                          Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 004082EF
                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                          • memset.MSVCRT ref: 00408362
                                                                                          • memset.MSVCRT ref: 00408377
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$ByteCharMultiWide
                                                                                          • String ID:
                                                                                          • API String ID: 290601579-0
                                                                                          • Opcode ID: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                          • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                          • Opcode Fuzzy Hash: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                          • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                          Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040A47B
                                                                                          • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                          • wcslen.MSVCRT ref: 0040A4BA
                                                                                          • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                          • wcslen.MSVCRT ref: 0040A4E0
                                                                                          • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpywcslen$_snwprintfmemset
                                                                                          • String ID: %s (%s)$YV@
                                                                                          • API String ID: 3979103747-598926743
                                                                                          • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                          • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                          • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                          • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                          Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                          • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$AddressFreeLoadMessageProc
                                                                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                          • API String ID: 2780580303-317687271
                                                                                          • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                          • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                          • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                          • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                          Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                                          • wcslen.MSVCRT ref: 0040A6B1
                                                                                          • wcscpy.MSVCRT ref: 0040A6C1
                                                                                          • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                                          • wcscpy.MSVCRT ref: 0040A6DB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                          • String ID: Unknown Error$netmsg.dll
                                                                                          • API String ID: 2767993716-572158859
                                                                                          • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                          • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                          • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                          • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                          Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • out of memory, xrefs: 0042F865
                                                                                          • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                          • too many attached databases - max %d, xrefs: 0042F64D
                                                                                          • database %s is already in use, xrefs: 0042F6C5
                                                                                          • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                          • database is already attached, xrefs: 0042F721
                                                                                          • unable to open database: %s, xrefs: 0042F84E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpymemset
                                                                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                          • API String ID: 1297977491-2001300268
                                                                                          • Opcode ID: 9fef2143278846cd95885c1cbe03afab34c3f4ef307752a183a19874e6a22e95
                                                                                          • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                          • Opcode Fuzzy Hash: 9fef2143278846cd95885c1cbe03afab34c3f4ef307752a183a19874e6a22e95
                                                                                          • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                          Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                          • GetLastError.KERNEL32 ref: 0041855C
                                                                                          • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                          • GetLastError.KERNEL32 ref: 0041858E
                                                                                          • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                          • free.MSVCRT ref: 004185AC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                          • String ID:
                                                                                          • API String ID: 2802642348-0
                                                                                          • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                          • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                          • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                          • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                          Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                          • wcscpy.MSVCRT ref: 0040D1B5
                                                                                            • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                            • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                          • wcslen.MSVCRT ref: 0040D1D3
                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                          • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                          • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                          • String ID: strings
                                                                                          • API String ID: 3166385802-3030018805
                                                                                          • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                          • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                          • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                          • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                          Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                          • memset.MSVCRT ref: 00405455
                                                                                          • memset.MSVCRT ref: 0040546C
                                                                                          • memset.MSVCRT ref: 00405483
                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$memcpy$ErrorLast
                                                                                          • String ID: 6$\
                                                                                          • API String ID: 404372293-1284684873
                                                                                          • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                          • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                          • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                          • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                          Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                          • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                          • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                          • wcscpy.MSVCRT ref: 0040A0D9
                                                                                          • wcscat.MSVCRT ref: 0040A0E6
                                                                                          • wcscat.MSVCRT ref: 0040A0F5
                                                                                          • wcscpy.MSVCRT ref: 0040A107
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                          • String ID:
                                                                                          • API String ID: 1331804452-0
                                                                                          • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                          • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                          • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                          • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                          Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                          • String ID: advapi32.dll
                                                                                          • API String ID: 2012295524-4050573280
                                                                                          • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                          • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                          • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                          • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                          Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                          • <%s>, xrefs: 004100A6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$_snwprintf
                                                                                          • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                          • API String ID: 3473751417-2880344631
                                                                                          • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                          • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                          • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                          • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                          Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcscat$_snwprintfmemset
                                                                                          • String ID: %2.2X
                                                                                          • API String ID: 2521778956-791839006
                                                                                          • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                          • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                          • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                          • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                          Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _snwprintfwcscpy
                                                                                          • String ID: dialog_%d$general$menu_%d$strings
                                                                                          • API String ID: 999028693-502967061
                                                                                          • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                          • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                          • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                          • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                          Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                            • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                            • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                          • memset.MSVCRT ref: 0040C439
                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                          • _wcsupr.MSVCRT ref: 0040C481
                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                          • memset.MSVCRT ref: 0040C4D0
                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                          • String ID:
                                                                                          • API String ID: 4131475296-0
                                                                                          • Opcode ID: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                                          • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                          • Opcode Fuzzy Hash: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                                          • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                          Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 004116FF
                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                            • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                          • API String ID: 2618321458-3614832568
                                                                                          • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                          • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                          • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                          • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                          Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFilefreememset
                                                                                          • String ID:
                                                                                          • API String ID: 2507021081-0
                                                                                          • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                          • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                          • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                          • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                          Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                          • malloc.MSVCRT ref: 00417524
                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                          • free.MSVCRT ref: 00417544
                                                                                          • free.MSVCRT ref: 00417562
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                          • String ID:
                                                                                          • API String ID: 4131324427-0
                                                                                          • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                          • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                          • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                          • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                          Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                          • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                          • free.MSVCRT ref: 0041822B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: PathTemp$free
                                                                                          • String ID: %s\etilqs_$etilqs_
                                                                                          • API String ID: 924794160-1420421710
                                                                                          • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                          • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                          • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                          • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                          Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                          • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpy
                                                                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                          • API String ID: 3510742995-272990098
                                                                                          • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                          • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                          • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                          • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                          Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0044A6EB
                                                                                          • memset.MSVCRT ref: 0044A6FB
                                                                                          • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                          • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpymemset
                                                                                          • String ID: gj
                                                                                          • API String ID: 1297977491-4203073231
                                                                                          • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                          • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                          • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                          • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                          Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                          • malloc.MSVCRT ref: 004174BD
                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                          • free.MSVCRT ref: 004174E4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                          • String ID:
                                                                                          • API String ID: 4053608372-0
                                                                                          • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                          • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                          • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                          • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                          Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetParent.USER32(?), ref: 0040D453
                                                                                          • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                          • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Rect$ClientParentPoints
                                                                                          • String ID:
                                                                                          • API String ID: 4247780290-0
                                                                                          • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                          • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                          • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                          • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                          Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                          • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                          • memset.MSVCRT ref: 004450CD
                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                            • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                          • String ID:
                                                                                          • API String ID: 1471605966-0
                                                                                          • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                          • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                          • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                          • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                          Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • wcscpy.MSVCRT ref: 0044475F
                                                                                          • wcscat.MSVCRT ref: 0044476E
                                                                                          • wcscat.MSVCRT ref: 0044477F
                                                                                          • wcscat.MSVCRT ref: 0044478E
                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                            • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                            • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                          • String ID: \StringFileInfo\
                                                                                          • API String ID: 102104167-2245444037
                                                                                          • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                          • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                          • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                          • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                          Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 004100FB
                                                                                          • memset.MSVCRT ref: 00410112
                                                                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                          • _snwprintf.MSVCRT ref: 00410141
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                          • String ID: </%s>
                                                                                          • API String ID: 3400436232-259020660
                                                                                          • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                          • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                          • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                          • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                          Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040E770
                                                                                          • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSendmemset
                                                                                          • String ID: AE$"
                                                                                          • API String ID: 568519121-1989281832
                                                                                          • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                          • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                          • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                          • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                          Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040D58D
                                                                                          • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                          • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ChildEnumTextWindowWindowsmemset
                                                                                          • String ID: caption
                                                                                          • API String ID: 1523050162-4135340389
                                                                                          • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                          • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                          • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                          • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                          Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                            • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                          • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                          • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                          • String ID: MS Sans Serif
                                                                                          • API String ID: 210187428-168460110
                                                                                          • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                          • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                          • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                          • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                          Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040560C
                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                            • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                          • String ID: *.*$dat$wand.dat
                                                                                          • API String ID: 2618321458-1828844352
                                                                                          • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                          • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                          • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                          • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                          Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 00412057
                                                                                            • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                                          • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                          • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                          • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                          • String ID:
                                                                                          • API String ID: 3550944819-0
                                                                                          • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                          • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                          • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                          • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                          Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • free.MSVCRT ref: 0040F561
                                                                                          • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                          • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpy$free
                                                                                          • String ID: g4@
                                                                                          • API String ID: 2888793982-2133833424
                                                                                          • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                          • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                          • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                          • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                          Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 004144E7
                                                                                            • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                            • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                          • memset.MSVCRT ref: 0041451A
                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                          • String ID:
                                                                                          • API String ID: 1127616056-0
                                                                                          • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                          • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                          • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                          • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                          Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                          • malloc.MSVCRT ref: 00417459
                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                                                          • free.MSVCRT ref: 0041747F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$freemalloc
                                                                                          • String ID:
                                                                                          • API String ID: 2605342592-0
                                                                                          • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                          • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                          • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                          • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                          Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                                          • RegisterClassW.USER32(00000001), ref: 00412428
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                          • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2678498856-0
                                                                                          • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                          • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                          • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                          • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                          Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040F673
                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                                          • strlen.MSVCRT ref: 0040F6A2
                                                                                          • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 2754987064-0
                                                                                          • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                          • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                          • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                          • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                          Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040F6E2
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                                          • strlen.MSVCRT ref: 0040F70D
                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 2754987064-0
                                                                                          • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                          • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                          • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                          • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                          Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                            • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                            • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                          • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                          • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                          • String ID:
                                                                                          • API String ID: 764393265-0
                                                                                          • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                          • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                          • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                          • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                          Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Time$System$File$LocalSpecific
                                                                                          • String ID:
                                                                                          • API String ID: 979780441-0
                                                                                          • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                          • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                          • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                          • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                          Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                          • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                          • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcpy$DialogHandleModuleParam
                                                                                          • String ID:
                                                                                          • API String ID: 1386444988-0
                                                                                          • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                          • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                          • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                          • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                          Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • wcschr.MSVCRT ref: 0040F79E
                                                                                          • wcschr.MSVCRT ref: 0040F7AC
                                                                                            • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                            • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$memcpywcslen
                                                                                          • String ID: "
                                                                                          • API String ID: 1983396471-123907689
                                                                                          • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                          • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                          • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                          • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                          Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _snwprintf.MSVCRT ref: 0040A398
                                                                                          • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: _snwprintfmemcpy
                                                                                          • String ID: %2.2X
                                                                                          • API String ID: 2789212964-323797159
                                                                                          • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                          • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                          • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                          • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                          Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                                          • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: LongWindow
                                                                                          • String ID: MZ@
                                                                                          • API String ID: 1378638983-2978689999
                                                                                          • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                          • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                                          • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                          • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                                          Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • wcslen.MSVCRT ref: 0040B1DE
                                                                                          • free.MSVCRT ref: 0040B201
                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                          • free.MSVCRT ref: 0040B224
                                                                                          • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: free$memcpy$mallocwcslen
                                                                                          • String ID:
                                                                                          • API String ID: 726966127-0
                                                                                          • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                          • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                          • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                          • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                          Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • strlen.MSVCRT ref: 0040B0D8
                                                                                          • free.MSVCRT ref: 0040B0FB
                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                          • free.MSVCRT ref: 0040B12C
                                                                                          • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: free$memcpy$mallocstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 3669619086-0
                                                                                          • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                          • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                          • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                          • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                          Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                          • malloc.MSVCRT ref: 00417407
                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                          • free.MSVCRT ref: 00417425
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2267802775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2267802775.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$freemalloc
                                                                                          • String ID:
                                                                                          • API String ID: 2605342592-0
                                                                                          • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                          • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                          • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                          • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5